Ask why they need to be domain admins and not just have the necessary permissions delegated. My Service Desk guys were domain admins from the day they started (in some cases years) and they insisted they needed to be domain admins to do x,y and z.
Oddly, I was able to delegate the necessary functions and they haven't been domain admins for many months now. The Win2K servers was sticky since it doesn't have a "Remote Desktop User" group, but restricted groups helped me out there - they local admins on Win2K Servers boxes but not domain admins. You can make them local admins of server w/out them being domain admins, and using GPO's you'll be able to track who is admin on what instead of going to each machine one by one. No clue if this would help what you're fighting though.... Dave From: James Rankin [mailto:[email protected]] Sent: Thursday, September 30, 2010 6:18 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory I am raising this up with IS management, as it is unsupportable - there's no point in me putting a structure together that can just be pulled apart at will. There's no way around it, so I'm just going to have to trust in my own stubbornness to get the buy-in I need :-) Audit was going to be one of the hot words to throw into the debate, though. I'd be interested myself in seeing the results of any previous audits they've had here. On 30 September 2010 14:08, Andrew S. Baker <[email protected]<mailto:[email protected]>> wrote: >>However, the business are adamant that every member of the support teams >>(from helpdesk upwards) will be given a Domain Admin account. Am I right in >>assuming this means that they could simply add themselves into the groups I >>am setting up, because even if I restrict these groups via an ACL, they could >>just take ownership of the group? You might need to enlist the assistance of... dare I say it? ... Auditors. If everyone is a domain admin, then they can all do whatsoever they want in the domain. Seriously, is your organization not subject to some you sort of regulatory compliance? Who is your CTO/CIO? ASB (My XeeSM Profile)<http://XeeSM.com/AndrewBaker> Exploiting Technology for Business Advantage... On Thu, Sep 30, 2010 at 7:49 AM, James Rankin <[email protected]<mailto:[email protected]>> wrote: However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
