|
Posted by Roger Abell [MVP] on April 29, 2006, 2:24 am
If you were Registered and logged in, you could reply and use other advanced thread options
All very understandable, and the potential of read-only DCs down the
road may help you out. For now however, I would still recommend
inventorying the actions needed by a warm body on the remote DCs
and try very hard to find a way to take those task under central (remote
operations where possible) control. Recognizing that this will not cover
everything, then perhaps the temporarily enabled account for time
coordinated use may be the option. That allows close monitoring and
provides greater guarantees than does attempting to deny use of the
remote personnel's accounts to only specific machines. As Joe noted,
any account able to log into a DC has great opportunities. Also, any
account with privs above a plain user can have a simple time if the
person is motivated to elevate their privs, and monitoring for that is
more difficult than monitoring the use of a temp enabled account.
> The child domains wasnt done for security reason, it was done because
> prior
> to that, each campus was it's own domain, completely disconnected from the
> other campsus. Each site had their own domain name, exchange server, etc.
> They were totally isolated. Politically, it was easier to bring them
> together as child domains, so the existing campus admins would still have
> a
> sence or control over thier network. When enough of those people left,
> and
> things progressed we were able to centralize things. The final domain
> collapse was just hte last step in that centralization.
>
> As was pointed out, my big problem is with the servers being DC's and the
> need to let them manage them.
>
> I was thinking of simply making them domain admins, but putting explicit
> deny's on the critical servers. Not the best solution, but makes it
> easier....
>
>
>
> "Joe Richards [MVP]" wrote:
>
>> To add onto Roger's excellent response, you weren't as safe as you think
>> you
>> were with the child domains and protecting your HQ. You just didn't
>> understand
>> how Windows works. Had a child DA wanted to take over your HQ domain it
>> wouldn't
>> have been a lot of work for them to do so. The domain is not a security
>> boundary
>> in an AD forest.
>>
>
| 
XML site map