Your last statement is incorrect, but best not to try and outline how to crack forests as there are many companies out there following the not so great practice of having lots of domain admins on child domains of a single forest.
If you sit down and think for a while, you will slowly figure out different ways that domains and forests could be penetrated. It is why you should not allow many admins and you shouldn�t allow much of anything to run as localsystem on DCs unless the domain admins are the ones controlling those things that are running... Think of AV Software, Monitoring Software, Update Software, Backup Software - anything that runs as localsystem that is commonly managed by someone outside of the domain admin group. Those should all be closely investigated and access turned down or management given to the domain admins. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Thursday, May 13, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question If I recall correctly, a domain admin in a child domain can use the SID history function gain access to the parent domain. Once he has access to the parent domain, he can then add himself to the enterprise admins group. The part about "Use the SID history functionto gain access" is somewhat of a mystery to me. (Almost like magic) However, I do believe it ispassible. Your damage is limited to the child domain unless you use the SID history feature (i.e. magic) to hack into the parent domain. Denny -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 13, 2004 9:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question 1. what do you mean by "an admin in any domain has the power of being an Entrprise admin"? i, being a domain admin of a child domain, do not have the power to put myself into the Enterprise admins group. A domain or enterprise admin in the root domain would have to do that for me. Also, as a domain admin in a child domain, i'm kinda limited to the damage i could do to the forest, no?I mean, i could screw up my domain royally, but i can't really do anything to screw up the forest( and completly hosing my domain would only cause replication errors generated in event logs and some repointing of exchange servers to different GC's). i can't modify the schema or install an app that does it for me. i can't link a wrong headed GPO to a site or create one on the root or any other domain. i can't create a site or subnet. And if a crashed and burned all my DC's wouldn't AD remove them permantely after 60 days? I'm sorry to belabour the point here and waste your time, but i really want to make a good case for our IT dept to have enterprise admin access and show why multiple seperate domain admins for multiple domains is not a good idea. as well as further my knowldge of what can and can't be done and what can and can't be screwed up. i'd like to convince everyone that playing nice is in our best interest. thanks, and again, i apologize for rehashing old posts. -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 8:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Wow this is like d�j� vu, I swear we went through this whole thought process a month or two ago on here.... The quick summary (no I will not spout the whole thing, it should be in the archives) of what I recall 1. An admin in any domain has the power of being an Enterprise Admin, domains ARE NOT security boundaries. Each child domain should not have different admins because that can result in chaos and possible danger to the entire forest. 2. You can not do DR testing with just a child domain. 3. Either your corp IT has to be involved with your DR testing or you should redesign into multiple forests. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 12, 2004 4:37 PM To: ActiveDir (E-mail) Subject: [ActiveDir] A root dc question My apologies if this seems basic and/or silly. Aside from creating new domains or modifying the schema, why would an admin need access to the root dc of a forest(the schema, domain namming master)? furthermore, why would an admin in a child domain need enterprise admin privilges? I only ask because we had issues with our test DR run wherein we didn't have access to the root domain and/or a test root domain vmware'd on a laptop and it ended miserably. i am in the process of convincing the higher ups in my corp of letting our IT dept have enterpise admin access. i'd like to make a case for us as to why we would need this accont with concrete examples(aside from the DR one). ones that a semi tech aware CIO could relate to. What other compelling reasons would one need these rights for in day to day(or not so day to day) AD administration? we are a multi-domain(14) win2k forest in mixed mode with exchange2k in native mode. Thank you in advance for any assitance. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
