Ever tried it? Ever successfully done it? I have, and I'm tired of hearing that argument that empty root is useless. *Most *folks don't know, nor care to make the effort to exploit this.
They will, and know how to very easily, add themselves to a group in a flat domain. - WJR On Thu, Sep 30, 2010 at 12:25, Brian Desmond <[email protected]> wrote: > *Even if they were a domain admin in a child they could add themselves to > the EAs group in a root domain if they really wanted to.exploit this > * > > * * > > *Thanks,* > > *Brian Desmond* > > *[email protected]* > > * * > > *c – 312.731.3132* > > * * > > *From:* William J. Robbins [mailto:[email protected]] > *Sent:* Thursday, September 30, 2010 7:05 AM > > *To:* NT System Admin Issues > *Subject:* Re: Restricting groups in Active Directory > > > > The short answer is yes, if they are domain admins they can do anything > they like provided they have the knowledge. Including add themselves to the > Enterprise Admins group since you said you were in a single domain, which I > interpret as no "empty root." > > You could change the ACL's, but again they can undo that with the > knowledge. > > The help desk!? Seriously? Well good luck to you in the new position, > sounds like you may need some. > > > WJR > - from my Crackberry. > > "If you find yourself in a fair fight, your tactics suck." > ------------------------------ > > *From: *James Rankin <[email protected]> > > *Date: *Thu, 30 Sep 2010 12:49:52 +0100 > > *To: *NT System Admin Issues<[email protected]> > > *ReplyTo: *"NT System Admin Issues" <[email protected] > > > > *Subject: *Restricting groups in Active Directory > > > > I've just started a new job and we're building an all-new infrastructure. > One of the key things I'm looking at it is restricting access to the most > sensitive functions of some of the infrastructure, mainly in VMWare and > XenApp. I'm currently looking at doing this by using AD groups - creating > groups for each support team and adding those groups to the relevant areas > in XenApp and VirtualCenter to give them the necessary permissions. > > However, the business are adamant that every member of the support teams > (from helpdesk upwards) will be given a Domain Admin account. Am I right in > assuming this means that they could simply add themselves into the groups I > am setting up, because even if I restrict these groups via an ACL, they > could just take ownership of the group? > > Could I edit the ACL for these groups and Deny Domain Admins the Modify > Ownership privilege? Or can they override that as well somehow? Is there > some way I could handle this even if everyone gets given Domain Admin > access, or will I have to convince them to do things *properly* using > delegation of privilege? > > All input is welcomed, > > TIA, > > > > JRR > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
