<not an argument for implementing bad security>I
think we all know how bad it is to have hoards of DAs. We also know that it is
the reality in many large and small orgs. and we also know that it is sometimes
unavoidable for purely non-technical reasons. The bottom line is that many of
those DAs probably don't know how to undo something that you take away from
them, so security by obscurity, while pretty awful, sometimes
actually works.
</not an argument for implementing bad
security>
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, July 31, 2006 1:58 PM
To: [email protected]
Subject: RE: [ActiveDir] Revoke domain administrator's right to create GPO?
Hehe. Wrong list for this kind of question. Put on a
helmet.
But... yes you can, for as long as the DAs decide to let it
be that way. They will have no issues switching it right back. You CANNOT
prevent DAs from doing anything they want in the domain or the forest. You can
try like like a duckling can try and put out the flames of a volcanoe with
the beating of his wings and you will be just as successful. There is no such
thing as Domain Administrator and Super Domain Administrator. Once you get even
administrator rights on a DC, you pretty much do what you want when you want. It
really doesn't even take that much but we will start there.
The answer you are looking for is to reduce the number of
DAs in the entire forest to 5 or less. You don't work for a large enough company
to actually qualify to use LOTS of Domain Administrators unless there are lots
of forests and only a few DAs in each. AD should be delegated or
provisioned, it shouldn't have a bunch of folks with native high level rights.
No this isn't impossible to do, some of us have done it in Fortune 5 companies
and of course also in smaller companies.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang
Sent: Monday, July 31, 2006 3:42 PM
To: [email protected]
Subject: [ActiveDir] Revoke domain administrator's right to create GPO?
I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible?
Thanks in advance.
Andy
