> However, would it have merit to be able to remove perms from the DA? I guess so, if you could make it stick, otherwise it is simply a false sense of security. I would argue that is worse than openly giving people permissions because if you know someone has the rights to do something, you look at them differently than when you think they don't have it.
> So, all in all - leave the DA alone. Security groups and the ability > to create new users and delegate to the group is there for a reason. Absolutely. You obviously need DA's but it should be a very small very trusted group. If you have "gurus" in your company. They are the ones that get that access. Preferably no one else. > But, more importantly - was that a 7 or 8 lb trout? I went small, 4 pounder. I want you thinking straight when you go to DEC and need to smack people if they try to give away compromise knowledge that is better earned. That knowledge doesn't help you to know because it doesn't give you any way to protect yourself. It just makes you think twice about allowing anyone to log into DCs locally which people should be doing already because we keep telling them that. ;o) joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, February 22, 2005 10:49 PM To: [email protected] Subject: RE: [ActiveDir] Is it possible ? deny domain admins create new us er permission > adminSDHolder shouldn't come into play here. That controls permissions > ON the admin user objects, not on the OUs that admins would want to control. Yeah, I guess I'll have to conceded that... ;o) As to the DA being able to grab ownership and, in effect, re-grant everything that you've taken away - I see the reason and don't argue it in the worst of cases. However, would it have merit to be able to remove perms from the DA? Obviously, as I stated - best solution is to leave the DA alone and create the role/group mechanism that gives the DA-wannabe the appropriate permission to do their job, but nothing more. So, all in all - leave the DA alone. Security groups and the ability to create new users and delegate to the group is there for a reason. But, more importantly - was that a 7 or 8 lb trout? :=p -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 22, 2005 9:07 PM To: [email protected] Subject: RE: [ActiveDir] Is it possible ? deny domain admins create new us er permission adminSDHolder shouldn't come into play here. That controls permissions ON the admin user objects, not on the OUs that admins would want to control. The thing is, admins can always take ownership of the OU where you are stripping their rights. This is why you can't remove their ability to do things. This is like people who give Create OU and Create Computer to some group on some OU and are then confused as to how the people are creating users... How? They create an OU that they own and can do anything they want with. The solution to this is to reduce the number of admins to some very small number. I don't tire of saying we had 4 domain/enterprise admins at the major widget company I ran AD for which had some 250,000 userids. There was one supervisor, our supervisor, who wasn't allowed to use his ID and three of us with the admin rights and the responsibilities. While this doesn't prevent the admins from creating users, you have a very tight control over who can do it and it is much easier to control by process. In fact, the admins themselves are of the opinion that they don't want to create IDs, I know we had no desire to and took a manager telling our supervisor to do it and we still talked back and refused. The more people who have the rights to do things like this the more chance process is not going to be followed. In summary, you can not eviscerate the DA. You can only make it so they have to take extra steps to do what they want. If they have the desire and are tenacious, they can get through any security boundaries you put into place. It has no bearing how good you are as the delegation person, it all comes down to how good the DA is. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, February 22, 2005 8:05 PM To: [email protected] Subject: RE: [ActiveDir] Is it possible ? deny domain admins create new us er permission Hmmm. OK, I'm inclined to agree, but aren't DA's and EA's governed by the same set of ACLs and ACEs applied at specific levels of AD as any other user? IOW, can't I remove the Allow from DA to Create / Delete User Object? Right. AdminSDHolder is going to change it back on its rounds. And (though joe will come in here any minute and smack me with a large trout) if I make changes to my AdminSDHolder, (not advised) I can change the ACE/ACL in AD for the administrative contexts. In fact, because of issues with DAs that need to do their job, but simply can't be trusted to do some things without blowing of a toe or a leg, I've had to limit DA ability to modify/change/link/anything the Default Domain Policy and Default DC Policy. Overall - not advised, I agree. Create a new user/group/role for what you want these folks to really be able to do. This would be the right direction. Eviscerating the DA is not the right move, but that doesn't mean that it can't be done. -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Tuesday, February 22, 2005 4:05 PM To: '[email protected] ' Subject: RE: [ActiveDir] Is it possible ? deny domain admins create new us er permission Maybe you could configure auditing to see who is creating user accounts or "convert" all domain admins into normal users ;-) Preventing what you want is not possible as domain admins in a forest/domain have the ability to do everything they want Jorge _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of "Sanz de Le�n, Juan Carlos" Sent: Thursday, July 29, 2004 4:15 AM To: '[email protected]' Subject: [ActiveDir] Is it possible ? deny domain admins create new user permission Dear Gurus, We are currently working on a project where we need to deny domain administrators the permission to "create new users".(and assign it to some other group) Is this technically possible ? Has anyone actually done it before ? Thanks in advance for your help, Juan Carlos Sanz List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
