Actually, I
meant to direct this answer at Juan, since it’s his project. Thanks…
From: Creamer, Mark
Sent: Friday, July 30, 2004 9:11
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Is it
possible ? deny domain admins create new user permission
Robert, I
bet I know where you’re going with this, as we are doing the same type of
thing as part of an overall Sarbannes-Oxley compliance project. Basically, we
didn’t try to remove Domain Admins’ ability to create users, we simply
don’t have any domain admins anymore (at least in the traditional sense).
Everything is role based. On the occasion when we need a DA role, the security
team moves the person into the role for the duration of the change, and then
takes them back out again.
From: Rutherford,
Robert [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 29, 2004 7:31
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Is it
possible ? deny domain admins create new user permission
This would not make any sense at
all as a domain admin is the top admin and could typically get around most
security. It may be possible to frig something but you shouldn't even be
thinking about it anyway.
What are your reasons for not allowing the
domain admin rights to create accounts? It is of course possible to allow
another party to create accounts and this is done through delegation.
What is your admin setup and what are you
trying achieve?
-----Original Message-----
From: "Sanz de Le�n, Juan Carlos"
[mailto:[EMAIL PROTECTED]
Sent: 29 July 2004 12:15
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Is it
possible ? deny domain admins create new user permission
Dear Gurus,
We are currently working on a project where we need to deny domain administrators
the permission to "create new users".(and assign it to some other
group) Is this technically possible ? Has anyone actually done it before ?
Thanks in advance for your help,
Juan Carlos Sanz
This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the sender
immediately and delete the material from any computer. Unless you are the
intended recipient, you should not copy this e-mail for any purpose, or disclose
its contents to any other person.
The MCPS-PRS Alliance is not responsible for the completeness or accuracy of
this communication as it has been transmitted over a public network. Whilst the
MCPS-PRS Alliance monitors all communications for potential viruses, we accept
no responsibility for any loss or damage caused by this e-mail and the
information it contains.
It is the recipient's responsibility to scan this e-mail and any attachments
for viruses. Any
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for
quality control and other purposes.
The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners
Street, London, W1T 3AB.
