|
Posted by Steven L Umbach on September 15, 2005, 11:09 am
If you were Registered and logged in, you could reply and use other advanced thread options
First off in a root domain you really can not prevent a member of the
administrators group for the "domain" or domain admins group from becoming
whatever they want including enterprise or schema administrators. You really
should only need a couple of administrators [or domain admins] for the
domain. You can however add regular domain users to the local administrators
group of any domain computer that is not a domain controller. You can do it
via a Group Policy startup script using the net localgroup command or use
Restricted Groups via a Group Policy linked at the OU level and then add the
domain computers you want them to be local administrators on into that OU.
You may want to use "member of" option when you do this, create a global
group that contains the users you want, then add it to administrators. Your
Windows 2000 computers will need to be at SP4 for "member of" to work right.
You do not have to use "member of" but the other option will replace and
enforce current membership in the local administrators group on those domain
computers which may or may not be desirable for you. Once you have that make
sure that membership of administrators [for the domain], domain admins,
enterprise admins, and schemas admins is what you want and monitor it
closely and be sure that auditing of account management is enabled in Domain
Controller Security Policy so that it can help you monitor changes in group
membership. -- Steve
http://www.microsoft.com/technet/security/default.mspx --- TechNet
Security home page
>I need to figure out a way to prevent the network admins from promoting
> themselves to enterprise/schema admins. I have already set up the
> restricted
> group, but they can still add themselves to these groups to bypass this.
>
> Questions:
> -1) How can I set the permissions so only enterprise admin can edit all
> GPO's? I will
> then delegate specific policies to specific people.
> 2) Can I modify the default domain GPO ACL to only have enterprise admin
> edit it? I see in the GPMC that I can remove the delegation to domain
> admins. Is this how I go about this?
> 3) MOST IMPORTANTLY: I have tried removing domain admin permissions from
> my
> guys, but then it gets really hard for them to do their work on client PC's
> since they have to log in as local admin. What can I do to ease this pain
> and remove domain admin for a few more guys? I have added them to the
> administrators group in AD but that did not seem to help.
> 4) Right now the group "domain admins" is added to the remote tab of the
> system tab. Should I replace this with the "Remote Desktop Users" group?
> I
> am also considering customizing this per server, is this safe?
>
> I realize that I am not doing things the right way and that none of use
> should log onto every/any PC as a domain admin, but I do not have a more
> efficient method yet.
>
> TIA
| 
XML site map