I'm sure most people here can relate to what you are describing. And very few
of us can win the battle as well as Joe :). While I am not trying to dictate
any "best practice" to you ("best practice" is a relative term AFAIC), I
still think that giving this best such a wide latitude as "Domain Admins"
privilege and then trying to circumvent that privilege is not ideal. Proper
use of delegation will ensure that this user will be able to do just "as
much" as he NEEDS to be able to do. I've had people ask for Domain Admins
privileges because they need to do certain things or their applications
require that privilege. After showing them how the NEEDS can be met by using
other means, they are happy and non-argumentative. I can tell you now that if
you give me Domain Admin privileges to your domain, you will need to have
access to the Windows source codes in order to be able to limit what I can do
on your domain. Either that, or you will have to be one of the Gurus on this
list :)
My idea of security is to start from least privilege and add more as you go.
But, that is "My idea".
Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Stuart, Cory G.
Sent: Mon 2/16/2004 10:05 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Restrict Administrative Privileges
The questions that are posed are definitely good ones. We, however, know
that to be a manager (those who make these wonderful decisions), possessing
logic is not a prerequisite. It's just a pain because it's such a limited
set of accounts that this admin is not supposed to be able to manage. To
specify what this admin can't do (because it's such a limited subset) should
be a lot less work than having to grant permissions for everything that the
admin can do. By also removing this admin's permissions to change these
specific users' passwords (user by stinking user), deny the admin's ability
to add new users to the domain admins group, and deny the admin's ability to
change any other domain admins' password, I think that I'm in business. If
you can think of anything that I'm leaving out, please throw me a bone. :)
Thanks!!!
Cory
-----------------------------------
Cory G. Stuart
Network Administrator
Nuclear Engineering Division
Argonne National Laboratory
-----------------------------------
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, February 16, 2004 11:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Restrict Administrative Privileges
You can try setting "deny" for "Reset Password" permission. But that would
not stop a knowledgeable (or determined) Domain Admin. Which then raises the
question of trust. Why make this person a Domain Admin if you do not trust
him/her with access to EVERYTHING?
In my opinion, trying to deny him access to "some" objects after you've given
him a blank check to ALL the objects in the Domain is not the way to go. I'd
remove him/her from Domain Admins group, then grant him/her access to things
he/she NEEDS (not WANTS) access to.
Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Stuart, Cory G.
Sent: Mon 2/16/2004 9:26 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Restrict Administrative Privileges
Hi All,
Is there a way to deny password changing abilities to a Domain
Administrator for only a limited set of accounts? These accounts reside in
their own OU, which because of the permissions set, that Domain Admin cannot
even see it when in ADUC. I thought that my problem was solved. I just
found out that this Domain Admin can still use DSMOD to change passwords of
users within that OU. Any help is appreciated!
Thanks!!
Cory
-----------------------------------
Cory G. Stuart
Network Administrator
Nuclear Engineering Division
Argonne National Laboratory
-----------------------------------
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
