Security Basics mailing list archives

Re: Restrict the Domain Admin

From: Pete Hunt <lists () ninjafriendly com>
Date: Sat, 17 Sep 2005 21:45:28 +0100

sf_mail_sbm () yahoo com wrote:

Hi List,
Is there a way to restrict access of a Domain Admin?
Example, can we allow a Dommain admin to do everything EXCEPT user management (e.g. password reset)?
We want to secure our environment, and do not want to have "ALL-POWERFULL" domain admins around

Er, that's the whole point behind a domain admin account. They haveroot. Anything you do to restrict them, they can undo.

This was discussed recently here:http://www.securityfocus.com/archive/105/397137

http://www.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=software+to+control+domain+administrators&x=0&y=0

The gist is "Prevent the use of domain admin accounts where such a levelof access is unnecessary. When domain admin access is necessary, choosetrustworthy domain admins and log and audit their activities".


Pete

Current thread:

Restrict the Domain Admin sf_mail_sbm (Sep 16)
- Re: Restrict the Domain Admin Christos Triantafyllidis (Sep 19)
- Re: Restrict the Domain Admin G. Chomic (Sep 19)
- Re: Restrict the Domain Admin Raoul Armfield (Sep 19)
- Re: Restrict the Domain Admin Pete Hunt (Sep 19)
- RE: Restrict the Domain Admin Brian Loe (Sep 19)
- Re: Restrict the Domain Admin cc (Sep 20)
- Re: Restrict the Domain Admin Cam Fischer (Sep 22)
  - Re: Restrict the Domain Admin Glenn English (Sep 26)
- <Possible follow-ups>
- RE: Restrict the Domain Admin Brunner, Mark (Sep 19)
- RE: Restrict the Domain Admin Robert McIntyre (Sep 20)
- RE: Restrict the Domain Admin Craig Wright (Sep 22)
  - RE: Restrict the Domain Admin Charles Otstot (Sep 26)
  - RE: Restrict the Domain Admin Brian Loe (Sep 26)
- RE: Restrict the Domain Admin Depp, Dennis M. (Sep 22)

(Thread continues...)