Guest Stan Posted April 25, 2009 Posted April 25, 2009 Is there a way to protect W2003 AD Domain Admin & Administrator Groups so existing members cannot add other users to these groups ? I only want our Enterprise Admins group to have change rights to these groups. I have tested Created OU- Test, Removed write permission for domain admins on this Test OU. Blocked inheritance with exception of Enterprise Admins Then moved Domainadmin group to this OU, Removed write permission and removed self as member for this group But after 1 hr all the settings are rolled back.. If this is not possible and Micirsift does not recommend this can you point me to MS Documentation I need to show our auditors this kind of change is not possible. Many thanks - Stan Quote
Guest Robert Moir Posted April 25, 2009 Posted April 25, 2009 Stan wrote:<span style="color:blue"> > Is there a way to protect W2003 AD Domain Admin & Administrator > Groups so existing members cannot add other users to these groups ?</span> Not reliably. Someone might come up with some hack but it's never going to be foolproof (either this lock can be unpicked by someone with admin rights, like uh... a domain admin... or it'll break other stuff). Someone clearly misunderstands what administrators and domain admins groups are for. If you don't trust people then they shouldn't be members of this group end of discussion. Auditors who don't understand this should be told to keep their nose out of things that don't concern them. Quote
Guest Shenan Stanley Posted April 25, 2009 Posted April 25, 2009 Stan wrote:<span style="color:blue"> > Is there a way to protect W2003 AD Domain Admin & Administrator > Groups so existing members cannot add other users to these groups ? > > I only want our Enterprise Admins group to have change rights to > these groups. > > I have tested > > Created OU- Test, > Removed write permission for domain admins on this Test OU. > Blocked inheritance with exception of Enterprise Admins > Then moved Domainadmin group to this OU, > Removed write permission and removed self as member for this group > But after 1 hr all the settings are rolled back.. > > If this is not possible and Micirsift does not recommend this can > you point me to MS Documentation > > I need to show our auditors this kind of change is not possible.</span> Who cares about the auditors at this point? If you have domain admins/administrator group members you cannot trust with the power this gives them - they should not be in those groups at all. That's a social/political issue - not a technical one. Don't complicate a simple problem - those who cannot be trusted with extra privs do not get extra privs. -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.