RE: [ActiveDir] Problem: Limit Domain Admins and Administrators

[Brian Desmond]

Where I come from, we have this phrase that sums up Rick’s message real short and sweet “damn domain admins”. It’s all political.   --Brian   Thanks.   --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org   v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, March 08, 2005 10:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem: Limit Domain Admins and Administrators   joe –   Great answer in a perfect world.  Great answer in the joe-run world.  I’d like to do the same, but it’s kind of funny that the guys I can’t really trust, the company still employs because I can’t get evidence that is going to get them fired to the degree in which HR is not going to spend the next 30 years in a court room over false termination.  If Rick Neuheisal can get $4.7 Million for being fired as a coach because he violated NCAA rules, I’m sure that the morons that I have to employ can make our life tough by being stupid on our network.   I can’t move them off to other functions.  Why?  If I can’t fire them, I can’t replace them.  Management (upper) is kind of funny that way in the world that I live in.  The best that I can hope to do is to remove rights to the point that if they piss themselves, it’s just their own mess – no one elses.   I suspect Mr. Lunsford is much more like me.  He’s in an environment where he has to employ people that aren’t as good as we’d like them to be.  Or, maybe even as trustworthy as we’d like.  So, that means that we:   protect ourselves as well as possible while we build the long trail of documentation to shit-can them figure out a way to mitigate the damage as much as possible – hence the suggestions that I posted   Usually, the advice that “You can’t do that” isn’t realistic.   -rtk   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, March 08, 2005 9:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem: Limit Domain Admins and Administrators   You can't. Period.   Solution: Don't give these people who are untrustworthy administrator or any native group access and don't let them log on interactively to your DCs or allow them to modify the file systems nor registry nor services.   Summary: You can't. Period.      joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 08, 2005 7:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem: Limit Domain Admins and Administrators Problem: Need to lockdown Domain Admins and Administrators so that they can not add additional users the Domain Admins and Administrators group. Possible Solution: Remove the permission's from the Domain Admins and Administrators so that only Enterprise Admins can change their membership. Anyone got a better idea or know if the solution will not work ? Thank You ! And have a nice day ! ************************************************************** Mark Lunsford KAISER PERMANENTE Directory Services Identify Management (DSIM/NOS) Email: [EMAIL PROTECTED] Outside Phone: 925-926-5898 Tie Line Phone: 8-473-5898 C ell: 925-200-0047 Remedy Group: NOPS SCRTY DSIM NOS **************************************************************