Separating domain admins and enterprise admins

Discussion in 'Active Directory' started by WolfK, Oct 18, 2007.

  1. WolfK

    WolfK Guest

    We want to separate the functions of domain admins and enterprise admins, so
    the former cannot make themselves enterprise admins. When I do this in a new
    AD created in newly installed 2003 R2 servers, the domain admins keep modify
    perms rights, as they are the owners. So I change the ownership to
    Enterprise Admins and put an explicit deny on the enterprise objects, which
    are in their own OU. Within minutes some system process goes through and
    restores the default permissions. What's the point of having separation of
    rights when the system thinks it knows best? Beside that point, how do I
    stop this behavior? Is there some security template somewhere that I need to
    WolfK, Oct 18, 2007
    1. Advertisements

  2. WolfK

    Joe Brown Guest

    WolfK, the permissions are being reset because Domain Admins are a protected
    group. Somewhere there is a KB aricle describing how permissions will go
    back to the default on protected groups. I'll post it if I can find it
    again. We ran into this when we rolled out a unified messaging system. It
    had to add some permissions to the AD accounts. Every few minutes those
    permissions were set back to default on Domain Admins, Print Operators, etc.
    Joe Brown, Oct 18, 2007
    1. Advertisements

  3. Hi Wolfk,
    First off, Don't make anyone you don't trust or who doesn't follow policy a
    domain admin of any domain in your forest.
    To understand what's going on with the reversion of permissions, you need to
    read about the "adminSDholder process"
    A treatise I enjoy can be found here:
    There are other links within the blog which also add info.


    Austin Osuide, Oct 18, 2007
  4. it is IMPOSSIBLE to prevent members of administrators, domain admins and
    enterprise admins doing things you do not want them to do!

    well, there is a solution....remove their direct or indirect membership for
    those groups



    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    Jorge de Almeida Pinto [MVP - DS], Oct 24, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.