Domain Admins adding Domain Admins

Discussion in 'Active Directory' started by Guest, Apr 13, 2005.

  1. Guest

    Guest Guest

    I've been tasked to find out the best way to disally members of the Domain
    This is tricky, as any ACL-based security measure you put in for Domain
    Admins can be overridden because they have Take Ownership rights on all
    objects by default. (This is because Administrators group have that right
    in the group policy settings, and Domain Admins are in the Administrators
    group.)

    To solve this effectively, you need to identify two different tiers of
    administrator - ones who are allowed to take ownership and ones who aren't.
    Then make the more powerful admins owners of the Domain Admins and
    Administrators groups, and set the appropriate permissions so the lesser
    admins cannot make changes to these groups.

    One way of doing this is as follows:

    1. Create a group for the more powerful admins, e.g. Power Admins

    2. Add Power Admins to the Administrators group.

    3. Remove Administrators group from the Take Ownership policy.

    4. Add Power Admins to the Take Ownership policy.

    5. On the Domain Admins, Enterprise Admins and Administrators group
    objects in the AD:

    a) Change the owner to Power Admins

    b) Grant Power Admins full control

    c) Change permissions for Domain Admins, Enterprise Admins and
    Administrators groups to only allow the following:

    List contents
    Read all properties
    Read permissions

    And deny the following:

    Modify owner

    6. Modify group memberships for Power Admins, Domain Admins etc.
    as appropriate

    Please reply and let me know if it works.
     
    Guest, Apr 13, 2005
    #1
    1. Advertisements

  2. Guest

    Shane Guest

    Hi there...

    Thanks for that. I've given it a try but the only thing I have not been
    able to do is assign ownership to Power Admins.

    I have been able to do the rest all fine. The question is though, by
    changin the ACLs on the Domain Admins object ie: writing members (nothing too
    drastic), what consequences could there be by doing all this?

    Cheers

    Shane
     
    Shane, Apr 18, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.