I understand that. I agree whole heartedly...mostly that you don't know my background. Who I work for, the size of these companies, number of users, nor how many times I've done this in enterprise, and I don't use that lightly, environments.
Look, this thread started with a question about what to do when everyone is a DA in a flat directory...I merely added that *because* it is flat that it makes it all too easy to add themselves to the EA group. Now we've tangented off into who knows what about when and how long... Look I do not give a rat's behind who's opinion you value, nor how often you hear someone speak...but don't presume i'm an idiot stuck in 2000. I'm glad Brian's an MVP...What's next in this d!ck measuring contest? Swap MCP numbers to see who's is the lowest and who has the most certs? I was trying to help. Now I'm done helping. I believe Mr. Rankin said "Thank you, and good day" some time ago. Y'all have fun. - WJR On Thu, Sep 30, 2010 at 16:06, KenM <[email protected]> wrote: > William > > Back when Win2k came out the empty root was the recommended setup because > the security boundary was the domain. But since then Microsoft's stance has > changed and the security boundary is the forest. So they do not recommend > the empty root. I have been to several conferences and have listened to > Brian speak and many other MVPs and Microsoft employees about this design. I > do not know your background but I know I will always listen to Brians > option on anything AD related. > > > > > On Thu, Sep 30, 2010 at 4:38 PM, William Robbins <[email protected]>wrote: > >> I see. And how many directories have you designed for Fortune 500 >> companies? >> >> I'm protecting them from people that think it's no big deal to continue to >> design a directory as if it were still 1996...but that's just me and my 10 >> years of experience designing directories for enterprise environments >> talking. >> >> You go right ahead doing it your way, I'll do it mine. >> >> - WJR >> >> >> >> On Thu, Sep 30, 2010 at 15:22, Brian Desmond <[email protected]>wrote: >> >>> *Your average Fortune 500 probably doesn’t have the network >>> requirements to demand it. I’ve worked in places that do and I’ve worked in >>> a lot of places that don’t.* >>> >>> * * >>> >>> *You’re looking at a lot more than two servers plus the man hours and >>> overhead when you add it up. I’m not sure what you feel you’re protecting >>> yourself or your customers from by continuing to deploy this design.* >>> >>> * * >>> >>> *Thanks,* >>> >>> *Brian Desmond* >>> >>> *[email protected]* >>> >>> * * >>> >>> *c – 312.731.3132* >>> >>> * * >>> >>> *Active Directory, 4th Ed** - http://www.briandesmond.com/ad4/* >>> >>> *Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian* >>> >>> * * >>> >>> *From:* William Robbins [mailto:[email protected]] >>> *Sent:* Thursday, September 30, 2010 2:43 PM >>> >>> *To:* NT System Admin Issues >>> *Subject:* Re: Restricting groups in Active Directory >>> >>> >>> >>> Very limited huh? You mean like the Fortune 500? >>> >>> How much money does two servers cost? How much does it cost when some >>> idiot gives himself inappropriate creds and makes a critical error? >>> >>> - WJR >>> >>> On Thu, Sep 30, 2010 at 14:27, Brian Desmond <[email protected]> >>> wrote: >>> >>> *All it does is cost money in most orgs. The need for separate domains >>> is down to segregating domain NC replication and there’s a very limited set >>> of places where you actually need to start doing that. * >>> >>> * * >>> >>> *Thanks,* >>> >>> *Brian Desmond* >>> >>> *[email protected]* >>> >>> * * >>> >>> *c – 312.731.3132* >>> >>> * * >>> >>> *From:* William Robbins [mailto:[email protected]] >>> *Sent:* Thursday, September 30, 2010 2:21 PM >>> >>> >>> *To:* NT System Admin Issues >>> *Subject:* Re: Restricting groups in Active Directory >>> >>> >>> >>> Ever tried it? Ever successfully done it? >>> >>> >>> >>> I have, and I'm tired of hearing that argument that empty root is >>> useless. *Most *folks don't know, nor care to make the effort to >>> exploit this. >>> >>> They will, and know how to very easily, add themselves to a group in a >>> flat domain. >>> >>> - WJR >>> >>> On Thu, Sep 30, 2010 at 12:25, Brian Desmond <[email protected]> >>> wrote: >>> >>> *Even if they were a domain admin in a child they could add themselves >>> to the EAs group in a root domain if they really wanted to.exploit this* >>> >>> * * >>> >>> *Thanks,* >>> >>> *Brian Desmond* >>> >>> *[email protected]* >>> >>> * * >>> >>> *c – 312.731.3132* >>> >>> * * >>> >>> *From:* William J. Robbins [mailto:[email protected]] >>> *Sent:* Thursday, September 30, 2010 7:05 AM >>> >>> >>> *To:* NT System Admin Issues >>> *Subject:* Re: Restricting groups in Active Directory >>> >>> >>> >>> The short answer is yes, if they are domain admins they can do anything >>> they like provided they have the knowledge. Including add themselves to the >>> Enterprise Admins group since you said you were in a single domain, which I >>> interpret as no "empty root." >>> >>> >>> You could change the ACL's, but again they can undo that with the >>> knowledge. >>> >>> The help desk!? Seriously? Well good luck to you in the new position, >>> sounds like you may need some. >>> >>> >>> WJR >>> - from my Crackberry. >>> >>> "If you find yourself in a fair fight, your tactics suck." >>> ------------------------------ >>> >>> *From: *James Rankin <[email protected]> >>> >>> *Date: *Thu, 30 Sep 2010 12:49:52 +0100 >>> >>> *To: *NT System Admin Issues<[email protected]> >>> >>> *ReplyTo: *"NT System Admin Issues" < >>> [email protected]> >>> >>> *Subject: *Restricting groups in Active Directory >>> >>> >>> >>> I've just started a new job and we're building an all-new infrastructure. >>> One of the key things I'm looking at it is restricting access to the most >>> sensitive functions of some of the infrastructure, mainly in VMWare and >>> XenApp. I'm currently looking at doing this by using AD groups - creating >>> groups for each support team and adding those groups to the relevant areas >>> in XenApp and VirtualCenter to give them the necessary permissions. >>> >>> However, the business are adamant that every member of the support teams >>> (from helpdesk upwards) will be given a Domain Admin account. Am I right in >>> assuming this means that they could simply add themselves into the groups I >>> am setting up, because even if I restrict these groups via an ACL, they >>> could just take ownership of the group? >>> >>> Could I edit the ACL for these groups and Deny Domain Admins the Modify >>> Ownership privilege? Or can they override that as well somehow? Is there >>> some way I could handle this even if everyone gets given Domain Admin >>> access, or will I have to convince them to do things *properly* using >>> delegation of privilege? >>> >>> >>> >>> All input is welcomed, >>> >>> TIA, >>> >>> >>> >>> JRR >>> >>> -- >>> >>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >>> the machine wrong figures, will the right answers come out?' I am not able >>> rightly to apprehend the kind of confusion of ideas that could provoke such >>> a question." >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to [email protected] >>> with the body: unsubscribe ntsysadmin >>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
