RE: [ActiveDir] Problem: Limit Domain Admins and Administrators

[deji]

Both of your suggestions are good …. Except that neither does much to PREVENT a DA or admin from doing much of anything. I figured that you are shying away from employing the Joe-Stick (not to be confused with Joystick J) and telling Mark to go back to the drawing board and re-thinking why these people he is trying to lock down (out) are members of those groups in the first place. A well-known solution to Mark’s problem is to remove the people from those groups. He’d be fine ever after.   Deji   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, March 08, 2005 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem: Limit Domain Admins and Administrators   Yeah, that’s been discussed a few times here.  One of the issues that you run into with Domain Admins and the like is that they can take ownership of any object and then just change permissions back to what they want.  It is the way that AD was designed – the intent is clearly there to prevent one from irreparably locking themselves out of controlling their domain/forest.   One way to do this, however, is to look at users (potential DA’s) by what they do.  Define the job roles and create groups for these users.  Grant permissions to allow these users to do what they must at the specific object location – and don’t make them Domain Admins at all.  In this way, you have a very granular approach to controlling user access.  There are very few folks in any environment that need the full set of permissions that the DA or EA give.   Granted, this is an approach that is fraught with lots of manual effort.  Another way to look at this is by looking at Quest’s Active Roles.  It helps you define, manage and control roles for users, where the role is applied, and the ability to report and control the actions.  It also gives your audit function a boost by not requiring the person doing the audit to really know anything about AD other than this person can do ‘A” job with these rights in AD. Rick Kingslan  MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 08, 2005 6:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem: Limit Domain Admins and Administrators   Problem: Need to lockdown Domain Admins and Administrators so that they can not add additional users the Domain Admins and Administrators group. Possible Solution: Remove the permission's from the Domain Admins and Administrators so that only Enterprise Admins can change their membership. Anyone got a better idea or know if the solution will not work ? Thank You ! And have a nice day ! ************************************************************** Mark Lunsford KAISER PERMANENTE Directory Services Identify Management (DSIM/NOS) Email: [EMAIL PROTECTED] Outside Phone: 925-926-5898 Tie Line Phone: 8-473-5898 C ell: 925-200-0047 Remedy Group: NOPS SCRTY DSIM NOS **************************************************************