Security Basics mailing list archives
RE: Restrict the Domain Admin
From: "Robert McIntyre" <robert.mcintyre () earthmail com>
Date: Mon, 19 Sep 2005 11:13:28 -0700
Hi List, Is there a way to restrict access of a Domain Admin? Example, can we allow a Dommain admin to do everything EXCEPT user
management (e.g. password reset)?
We want to secure our environment, and do not want to have "ALL-POWERFULL"
domain admins around
Thanks for your suggestions P.S. Environment: Windows (2000 & 2003) - Active Directory
I would not recommend messing with the Domain Admin rights. You might end up shooting yourself in the foot. Instead you could consider creating new domain groups with just the rights that you want them to have and restrict the Domain Admin group to just a small number of user accounts or maybe even just one for emergencies. There are three ways to control the power and rights of your own group: 1. Control the groups that your new group is a member of. 2. Manually change the user rights that you assign to the group 3. Use Active Directory to delegate control of objects in an OU to your new group.
Current thread:
- Restrict the Domain Admin sf_mail_sbm (Sep 16)
- Re: Restrict the Domain Admin Christos Triantafyllidis (Sep 19)
- Re: Restrict the Domain Admin G. Chomic (Sep 19)
- Re: Restrict the Domain Admin Raoul Armfield (Sep 19)
- Re: Restrict the Domain Admin Pete Hunt (Sep 19)
- RE: Restrict the Domain Admin Brian Loe (Sep 19)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
- Re: Restrict the Domain Admin Glenn English (Sep 26)
- <Possible follow-ups>
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)
- RE: Restrict the Domain Admin Charles Otstot (Sep 26)
- RE: Restrict the Domain Admin Brian Loe (Sep 26)
- RE: Restrict the Domain Admin Depp, Dennis M. (Sep 22)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- RE: Restrict the Domain Admin Craig Wright (Sep 26)
- Re: RE: Restrict the Domain Admin sf_mail_sbm (Sep 30)