All it does is cost money in most orgs. The need for separate domains is down to segregating domain NC replication and there's a very limited set of places where you actually need to start doing that.
Thanks, Brian Desmond [email protected] c - 312.731.3132 From: William Robbins [mailto:[email protected]] Sent: Thursday, September 30, 2010 2:21 PM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory Ever tried it? Ever successfully done it? I have, and I'm tired of hearing that argument that empty root is useless. Most folks don't know, nor care to make the effort to exploit this. They will, and know how to very easily, add themselves to a group in a flat domain. - WJR On Thu, Sep 30, 2010 at 12:25, Brian Desmond <[email protected]<mailto:[email protected]>> wrote: Even if they were a domain admin in a child they could add themselves to the EAs group in a root domain if they really wanted to.exploit this Thanks, Brian Desmond [email protected]<mailto:[email protected]> c - 312.731.3132 From: William J. Robbins [mailto:[email protected]<mailto:[email protected]>] Sent: Thursday, September 30, 2010 7:05 AM To: NT System Admin Issues Subject: Re: Restricting groups in Active Directory The short answer is yes, if they are domain admins they can do anything they like provided they have the knowledge. Including add themselves to the Enterprise Admins group since you said you were in a single domain, which I interpret as no "empty root." You could change the ACL's, but again they can undo that with the knowledge. The help desk!? Seriously? Well good luck to you in the new position, sounds like you may need some. WJR - from my Crackberry. "If you find yourself in a fair fight, your tactics suck." ________________________________ From: James Rankin <[email protected]<mailto:[email protected]>> Date: Thu, 30 Sep 2010 12:49:52 +0100 To: NT System Admin Issues<[email protected]<mailto:[email protected]>> ReplyTo: "NT System Admin Issues" <[email protected]<mailto:[email protected]>> Subject: Restricting groups in Active Directory I've just started a new job and we're building an all-new infrastructure. One of the key things I'm looking at it is restricting access to the most sensitive functions of some of the infrastructure, mainly in VMWare and XenApp. I'm currently looking at doing this by using AD groups - creating groups for each support team and adding those groups to the relevant areas in XenApp and VirtualCenter to give them the necessary permissions. However, the business are adamant that every member of the support teams (from helpdesk upwards) will be given a Domain Admin account. Am I right in assuming this means that they could simply add themselves into the groups I am setting up, because even if I restrict these groups via an ACL, they could just take ownership of the group? Could I edit the ACL for these groups and Deny Domain Admins the Modify Ownership privilege? Or can they override that as well somehow? Is there some way I could handle this even if everyone gets given Domain Admin access, or will I have to convince them to do things *properly* using delegation of privilege? All input is welcomed, TIA, JRR -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
