| Author | Messages | |
AlLilianstrom
Posts:39
 | | 05/30/2009 12:26 AM |
|
Andrew Levicki wrote:
> Serious question, is 9 DAs too many for 1200+ users? I think not.
>
Yes. I think 9 DAs it too many for most installations. In my experience
(<10000 users) 3 or 4 seems to be a good number. That ensures coverage
for vacations/illness/training/etc.
Do you need more people that can add computers, reset passwords, etc?
Yes. But they don't need to be DAs.
ACLs are your friend.
al
Al Lilianstrom
lilstrom@fnal.gov
| | | |
| Gil
Posts:311
| | 05/30/2009 11:37 PM |
| I know of a company that at the time had 80K users in 5 domains and had 15 DAs.
-g
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: Friday, May 29, 2009 3:38 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Serious question, is 9 DAs too many for 1200+ users? I think not.
2009/5/29 Gabriele Scolaro <gabro@gabro.net<mailto:gabro@gabro.net>>
Agree. In my experience the main issue is around managers always seeking for
consensus.
It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
Another issue is that some managers have a weird vision of "risk": "It works
today, I don't care about tomorrow."
Gabriele.
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Patrick Paul
Sent: venerdì 29 maggio 2009 14.07
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Domain Admins Access
We are down to about 9 DA but I want a max of 3 - we are a small company
1250 employees but BOSSES and POLITICS 
Thanks all for your replies.
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Akomolafe, Deji
Sent: Wednesday, May 27, 2009 1:39 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Domain Admins Access
I understand what you are saying, but the correct answer to his poser is
simply "there is currently no known way".
His problem is not a technical one - it is a procedural (human) one that
could only be "Fixed" by non-technical means - at this time, at least.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Andrew Healey
[drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
Sent: Tuesday, May 26, 2009 7:33 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Domain Admins Access
I was simply trying to answer the chaps query. I am 100% in agreement
with you. It is a hack that could easily be worked around by anybody
who has an ounce of knowledge. If they have domain admin rights,
what's stopping them from removing the loopback? Hell, he could just
skip the loopback mess and add a logon script. It is all a hack. The
proper solution is to restrict the membership of "sensitive" groups.
However, everybody seemed to be telling him that he needs to talk to
person x or solve it by fixing policy y or that certain group z wasn't
doing their job.
His question was, "Is there a way to block DOMAIN ADMINS from logging
on to a DC and member servers?" I was simply trying to offer him a
way to make it happen.
Thanks for the clarification though.
On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com<mailto:deji@readymaids.com>>
wrote:
> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
you have provided below should not have been a Domain Admin in the first
place.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name> - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Andrew Healey
[drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
> Sent: Tuesday, May 26, 2009 7:09 PM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs<mailto:patrickp@batelnet.bs>>
wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>> servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
looking
>> at it from my perspective. I am responsible for DCs but other
administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
| | | |
| bdesmond
Posts:977
| | 05/30/2009 11:39 PM |
| I can think of some examples:
è 40K users in 2 domains and 5 or so DAs
è 150K users in 4 domains and 7 or so DAs
è 80K users in 3 domains and 5 or so DAs
è 150K users in 5 domains and 200 or so DAs
è 500K users in 2 domains and 5 or so DAs
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
Sent: Saturday, May 30, 2009 5:28 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
I know of a company that at the time had 80K users in 5 domains and had 15 DAs.
-g
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: Friday, May 29, 2009 3:38 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Serious question, is 9 DAs too many for 1200+ users? I think not.
2009/5/29 Gabriele Scolaro <gabro@gabro.net<mailto:gabro@gabro.net>>
Agree. In my experience the main issue is around managers always seeking for
consensus.
It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
Another issue is that some managers have a weird vision of "risk": "It works
today, I don't care about tomorrow."
Gabriele.
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Patrick Paul
Sent: venerdì 29 maggio 2009 14.07
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Domain Admins Access
We are down to about 9 DA but I want a max of 3 - we are a small company
1250 employees but BOSSES and POLITICS
Thanks all for your replies.
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Akomolafe, Deji
Sent: Wednesday, May 27, 2009 1:39 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Domain Admins Access
I understand what you are saying, but the correct answer to his poser is
simply "there is currently no known way".
His problem is not a technical one - it is a procedural (human) one that
could only be "Fixed" by non-technical means - at this time, at least.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Andrew Healey
[drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
Sent: Tuesday, May 26, 2009 7:33 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Domain Admins Access
I was simply trying to answer the chaps query. I am 100% in agreement
with you. It is a hack that could easily be worked around by anybody
who has an ounce of knowledge. If they have domain admin rights,
what's stopping them from removing the loopback? Hell, he could just
skip the loopback mess and add a logon script. It is all a hack. The
proper solution is to restrict the membership of "sensitive" groups.
However, everybody seemed to be telling him that he needs to talk to
person x or solve it by fixing policy y or that certain group z wasn't
doing their job.
His question was, "Is there a way to block DOMAIN ADMINS from logging
on to a DC and member servers?" I was simply trying to offer him a
way to make it happen.
Thanks for the clarification though.
On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com<mailto:deji@readymaids.com>>
wrote:
> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
you have provided below should not have been a Domain Admin in the first
place.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name> - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Andrew Healey
[drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
> Sent: Tuesday, May 26, 2009 7:09 PM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs<mailto:patrickp@batelnet.bs>>
wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>> servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
looking
>> at it from my perspective. I am responsible for DCs but other
administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
| | | |
| bsonposh
Posts:408
| | 05/31/2009 12:06 AM |
| We have 300k and 5 DA's... Of course we are special.
I know of another prod domain w/ 15k and 3 DA's
On 5/30/09, Brian Desmond <brian@briandesmond.com> wrote:
> I can think of some examples:
>
>
> è 40K users in 2 domains and 5 or so DAs
>
> è 150K users in 4 domains and 7 or so DAs
>
> è 80K users in 3 domains and 5 or so DAs
>
> è 150K users in 5 domains and 200 or so DAs
>
> è 500K users in 2 domains and 5 or so DAs
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
> Sent: Saturday, May 30, 2009 5:28 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Domain Admins Access
>
> I know of a company that at the time had 80K users in 5 domains and had 15
> DAs.
>
> -g
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
> Sent: Friday, May 29, 2009 3:38 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Serious question, is 9 DAs too many for 1200+ users? I think not.
>
> 2009/5/29 Gabriele Scolaro <gabro@gabro.net<mailto:gabro@gabro.net>>
> Agree. In my experience the main issue is around managers always seeking for
> consensus.
> It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
> Another issue is that some managers have a weird vision of "risk": "It works
> today, I don't care about tomorrow."
>
> Gabriele.
>
> -----Original Message-----
> From:
> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Patrick Paul
> Sent: venerdì 29 maggio 2009 14.07
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] Domain Admins Access
>
> We are down to about 9 DA but I want a max of 3 - we are a small company
> 1250 employees but BOSSES and POLITICS
> Thanks all for your replies.
>
> -----Original Message-----
> From:
> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Akomolafe, Deji
> Sent: Wednesday, May 27, 2009 1:39 AM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] Domain Admins Access
>
> I understand what you are saying, but the correct answer to his poser is
> simply "there is currently no known way".
>
> His problem is not a technical one - it is a procedural (human) one that
> could only be "Fixed" by non-technical means - at this time, at least.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name> - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
> ________________________________________
> From:
> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Andrew Healey
> [drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
> Sent: Tuesday, May 26, 2009 7:33 PM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] Domain Admins Access
>
> I was simply trying to answer the chaps query. I am 100% in agreement
> with you. It is a hack that could easily be worked around by anybody
> who has an ounce of knowledge. If they have domain admin rights,
> what's stopping them from removing the loopback? Hell, he could just
> skip the loopback mess and add a logon script. It is all a hack. The
> proper solution is to restrict the membership of "sensitive" groups.
>
> However, everybody seemed to be telling him that he needs to talk to
> person x or solve it by fixing policy y or that certain group z wasn't
> doing their job.
>
> His question was, "Is there a way to block DOMAIN ADMINS from logging
> on to a DC and member servers?" I was simply trying to offer him a
> way to make it happen.
>
> Thanks for the clarification though.
>
>
> On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji
> <deji@readymaids.com<mailto:deji@readymaids.com>>
> wrote:
>> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
> you have provided below should not have been a Domain Admin in the first
> place.
>>
>>
>> Sincerely,
>> _____
>> (, / | /) /) /)
>> /---| (/_ ______ ___// _ // _
>> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
>> (_/ /)
>> (/
>> www.akomolafe.name<http://www.akomolafe.name> - we know IT
>> -5.75, -3.23
>> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
>> ________________________________________
>> From:
>> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Andrew Healey
> [drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
>> Sent: Tuesday, May 26, 2009 7:09 PM
>> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
>> Subject: Re: [ActiveDir] Domain Admins Access
>>
>> Loopback logon script for your domain controllers. Just have it check
>> the UPN or sAMAccountName and force a log off as soon as they log on.
>> You could even present them with a nice popup saying, "Have a nice
>> day. Thanks for playing."
>>
>> The logic is easy:
>>
>> For Each admin in badAdmins
>> If admin = logonName Then ForceLogoff
>> Next
>>
>> In reality, those that have responded so far are correct. It sounds
>> like your management and security personnel should be doing their jobs
>> better. However, I guess it all depends on the situation. Just keep
>> in mind Newton's laws of motion. Something like this could come back
>> and bite you in the arse.
>>
>>
>> Andrew J Healey
>> http://halfloaded.com
>>
>>
>>
>> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul
>> <patrickp@batelnet.bs<mailto:patrickp@batelnet.bs>>
> wrote:
>>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>>> servers?
>>>
>>>
>>>
>>> I know this is a strange question but the reason is simple when your
> looking
>>> at it from my perspective. I am responsible for DCs but other
> administrators
>>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
> they
>>> wish.
>>>
>>>
>>>
>>> Regards
>>>
>>> Patrick
>
>
--
Sent from my mobile device
| | | |
| kurtbuff
Posts:200
| | 05/31/2009 12:42 AM |
| *200* DAs? OMG - that must have been a nightmare.
On Sat, May 30, 2009 at 15:38, Brian Desmond <brian@briandesmond.com> wrote:
> I can think of some examples:
>
>
>
> è 40K users in 2 domains and 5 or so DAs
>
> è 150K users in 4 domains and 7 or so DAs
>
> è 80K users in 3 domains and 5 or so DAs
>
> è 150K users in 5 domains and 200 or so DAs
>
> è 500K users in 2 domains and 5 or so DAs
| | | |
| bsonposh
Posts:408
| | 05/31/2009 12:57 AM |
| On the flip side of this I was in an environment with ~600 DA's
On 5/30/09, Kurt Buff <kurt.buff@gmail.com> wrote:
> *200* DAs? OMG - that must have been a nightmare.
>
> On Sat, May 30, 2009 at 15:38, Brian Desmond <brian@briandesmond.com> wrote:
>> I can think of some examples:
>>
>>
>>
>> è 40K users in 2 domains and 5 or so DAs
>>
>> è 150K users in 4 domains and 7 or so DAs
>>
>> è 80K users in 3 domains and 5 or so DAs
>>
>> è 150K users in 5 domains and 200 or so DAs
>>
>> è 500K users in 2 domains and 5 or so DAs
>
--
Sent from my mobile device
| | | |
| kurtbuff
Posts:200
| | 05/31/2009 1:43 AM |
| I can't even begin to imagine that, even if you have an alternate
expansion for that abbreviation - well, perhaps Boeing has that many
DumbA*'s
Heh.
Kurt
On Sat, May 30, 2009 at 16:54, Brandon Shell <tshell@gmail.com> wrote:
> On the flip side of this I was in an environment with ~600 DA's
>
> On 5/30/09, Kurt Buff <kurt.buff@gmail.com> wrote:
>> *200* DAs? OMG - that must have been a nightmare.
>>
>> On Sat, May 30, 2009 at 15:38, Brian Desmond <brian@briandesmond.com> wrote:
>>> I can think of some examples:
>>>
>>>
>>>
>>> è 40K users in 2 domains and 5 or so DAs
>>>
>>> è 150K users in 4 domains and 7 or so DAs
>>>
>>> è 80K users in 3 domains and 5 or so DAs
>>>
>>> è 150K users in 5 domains and 200 or so DAs
>>>
>>> è 500K users in 2 domains and 5 or so DAs
>>
>
> --
> Sent from my mobile device
>
| | | |
| dloder
Posts:131
| | 06/01/2009 2:49 PM |
| My prod is 225K users, 3 DAs.
Don't know what one has to do to gain a "special" designation, but joe made us what we are, and I'm sure he'll chime in agreement with Brandon being special. ;-)
-- dloder.blogspot.com --
--- On Sat, 5/30/09, Brandon Shell <tshell@gmail.com> wrote:
From: Brandon Shell <tshell@gmail.com>
Subject: Re: [ActiveDir] Domain Admins Access
To: activedir@mail.activedir.org
Date: Saturday, May 30, 2009, 7:04 PM
We have 300k and 5 DA's... Of course we are special.
I know of another prod domain w/ 15k and 3 DA's
On 5/30/09, Brian Desmond <brian@briandesmond.com> wrote:
> I can think of some examples:
>
>
> è 40K users in 2 domains and 5 or so DAs
>
> è 150K users in 4 domains and 7 or so DAs
>
> è 80K users in 3 domains and 5 or so DAs
>
> è 150K users in 5 domains and 200 or so DAs
>
> è 500K users in 2 domains and 5 or so DAs
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Gil Kirkpatrick
> Sent: Saturday, May 30, 2009 5:28 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Domain Admins Access
>
> I know of a company that at the time had 80K users in 5 domains and had 15
> DAs.
>
> -g
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
> Sent: Friday, May 29, 2009 3:38 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Serious question, is 9 DAs too many for 1200+ users? I think not.
>
> 2009/5/29 Gabriele Scolaro <gabro@gabro.net<mailto:gabro@gabro.net>>
> Agree. In my experience the main issue is around managers always seeking for
> consensus.
> It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
> Another issue is that some managers have a weird vision of "risk": "It works
> today, I don't care about tomorrow."
>
> Gabriele.
>
> -----Original Message-----
> From:
> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Patrick Paul
> Sent: venerdì 29 maggio 2009 14.07
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] Domain Admins Access
>
> We are down to about 9 DA but I want a max of 3 - we are a small company
> 1250 employees but BOSSES and POLITICS
> Thanks all for your replies.
>
> -----Original Message-----
> From:
> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Akomolafe, Deji
> Sent: Wednesday, May 27, 2009 1:39 AM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] Domain Admins Access
>
> I understand what you are saying, but the correct answer to his poser is
> simply "there is currently no known way".
>
> His problem is not a technical one - it is a procedural (human) one that
> could only be "Fixed" by non-technical means - at this time, at least.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name> - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
> ________________________________________
> From:
> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Andrew Healey
> [drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
> Sent: Tuesday, May 26, 2009 7:33 PM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] Domain Admins Access
>
> I was simply trying to answer the chaps query. I am 100% in agreement
> with you. It is a hack that could easily be worked around by anybody
> who has an ounce of knowledge. If they have domain admin rights,
> what's stopping them from removing the loopback? Hell, he could just
> skip the loopback mess and add a logon script. It is all a hack. The
> proper solution is to restrict the membership of "sensitive" groups.
>
> However, everybody seemed to be telling him that he needs to talk to
> person x or solve it by fixing policy y or that certain group z wasn't
> doing their job.
>
> His question was, "Is there a way to block DOMAIN ADMINS from logging
> on to a DC and member servers?" I was simply trying to offer him a
> way to make it happen.
>
> Thanks for the clarification though.
>
>
> On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji
> <deji@readymaids.com<mailto:deji@readymaids.com>>
> wrote:
>> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
> you have provided below should not have been a Domain Admin in the first
> place.
>>
>>
>> Sincerely,
>> _____
>> (, / | /) /) /)
>> /---| (/_ ______ ___// _ // _
>> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
>> (_/ /)
>> (/
>> www.akomolafe.name<http://www.akomolafe.name> - we know IT
>> -5.75, -3.23
>> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
>> ________________________________________
>> From:
>> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Andrew Healey
> [drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
>> Sent: Tuesday, May 26, 2009 7:09 PM
>> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
>> Subject: Re: [ActiveDir] Domain Admins Access
>>
>> Loopback logon script for your domain controllers. Just have it check
>> the UPN or sAMAccountName and force a log off as soon as they log on.
>> You could even present them with a nice popup saying, "Have a nice
>> day. Thanks for playing."
>>
>> The logic is easy:
>>
>> For Each admin in badAdmins
>> If admin = logonName Then ForceLogoff
>> Next
>>
>> In reality, those that have responded so far are correct. It sounds
>> like your management and security personnel should be doing their jobs
>> better. However, I guess it all depends on the situation. Just keep
>> in mind Newton's laws of motion. Something like this could come back
>> and bite you in the arse.
>>
>>
>> Andrew J Healey
>> http://halfloaded.com
>>
>>
>>
>> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul
>> <patrickp@batelnet.bs<mailto:patrickp@batelnet.bs>>
> wrote:
>>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>>> servers?
>>>
>>>
>>>
>>> I know this is a strange question but the reason is simple when your
> looking
>>> at it from my perspective. I am responsible for DCs but other
> administrators
>>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
> they
>>> wish.
>>>
>>>
>>>
>>> Regards
>>>
>>> Patrick
>
>
--
Sent from my mobile device
| | | |
| bsonposh
Posts:408
| | 06/01/2009 3:03 PM |
| Special in the sense that our AD is completely automated... there little
interaction to AD by "actual" users.
It really is not a fair comparison 
On Mon, Jun 1, 2009 at 9:48 AM, David Loder <dloder@yahoo.com> wrote:
> My prod is 225K users, 3 DAs.
>
> Don't know what one has to do to gain a "special" designation, but joe made
> us what we are, and I'm sure he'll chime in agreement with Brandon being
> special. ;-)
>
>
>
> -- dloder.blogspot.com --
>
> --- On *Sat, 5/30/09, Brandon Shell <tshell@gmail.com>* wrote:
>
>
> From: Brandon Shell <tshell@gmail.com>
> Subject: Re: [ActiveDir] Domain Admins Access
> To: activedir@mail.activedir.org
> Date: Saturday, May 30, 2009, 7:04 PM
>
> We have 300k and 5 DA's... Of course we are special.
>
> I know of another prod domain w/ 15k and 3 DA's
>
> On 5/30/09, Brian Desmond <brian@briandesmond.com<http://us.mc01g.mail.yahoo.com/mc/compose?to=brian@briandesmond.com>>
> wrote:
> > I can think of some examples:
> >
> >
> > è 40K users in 2 domains and 5 or so DAs
> >
> > è 150K users in 4 domains and 7 or so DAs
> >
> > è 80K users in 3 domains and 5 or so DAs
> >
> > è 150K users in 5 domains and 200 or so DAs
> >
> > è 500K users in 2 domains and 5 or so DAs
> >
> > Thanks,
> > Brian Desmond
> > brian@briandesmond.com<http://us.mc01g.mail.yahoo.com/mc/compose?to=brian@briandesmond.com>
> >
> > c - 312.731.3132
> >
> > From: activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> > [mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>]
> On Behalf Of Gil Kirkpatrick
> > Sent: Saturday, May 30, 2009 5:28 PM
> > To: activedir@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>
> > Subject: RE: [ActiveDir] Domain Admins Access
> >
> > I know of a company that at the time had 80K users in 5 domains and had
> 15
> > DAs.
> >
> > -g
> >
> > From: activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> > [mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>]
> On Behalf Of Andrew Levicki
> > Sent: Friday, May 29, 2009 3:38 PM
> > To: activedir@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>
> > Subject: Re: [ActiveDir] Domain Admins Access
> >
> > Serious question, is 9 DAs too many for 1200+ users? I think not.
> >
> > 2009/5/29 Gabriele Scolaro <gabro@gabro.net<http://us.mc01g.mail.yahoo.com/mc/compose?to=gabro@gabro.net>
> <mailto:gabro@gabro.net<http://us.mc01g.mail.yahoo.com/mc/compose?to=gabro@gabro.net>
> >>
> > Agree. In my experience the main issue is around managers always seeking
> for
> > consensus.
> > It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
> > Another issue is that some managers have a weird vision of "risk": "It
> works
> > today, I don't care about tomorrow."
> >
> > Gabriele.
> >
> > -----Original Message-----
> > From:
> > activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> <mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> >
> > [mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> <mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> >]
> > On Behalf Of Patrick Paul
> > Sent: venerdì 29 maggio 2009 14.07
> > To: activedir@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>
> <mailto:activedir@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>
> >
> > Subject: RE: [ActiveDir] Domain Admins Access
> >
> > We are down to about 9 DA but I want a max of 3 - we are a small company
> > 1250 employees but BOSSES and POLITICS
> > Thanks all for your replies.
> >
> > -----Original Message-----
> > From:
> > activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> <mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> >
> > [mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> <mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> >]
> > On Behalf Of Akomolafe, Deji
> > Sent: Wednesday, May 27, 2009 1:39 AM
> > To: activedir@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>
> <mailto:activedir@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>
> >
> > Subject: RE: [ActiveDir] Domain Admins Access
> >
> > I understand what you are saying, but the correct answer to his poser is
> > simply "there is currently no known way".
> >
> > His problem is not a technical one - it is a procedural (human) one that
> > could only be "Fixed" by non-technical means - at this time, at least.
> >
> >
> > Sincerely,
> > _____
> > (, / | /) /) /)
> > /---| (/_ ______ ___// _ // _
> > ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> > (_/ /)
> > (/
> > www.akomolafe.name<http://www.akomolafe.name> - we know IT
> > -5.75, -3.23
> > Do you now realize that Today is the Tomorrow you were worried about
> > Yesterday? -anon
> > ________________________________________
> > From:
> > activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> <mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> >
> > [activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> <mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> >]
> > On Behalf Of Andrew Healey
> > [drewhealey@gmail.com<http://us.mc01g.mail.yahoo.com/mc/compose?to=drewhealey@gmail.com>
> <mailto:drewhealey@gmail.com<http://us.mc01g.mail.yahoo.com/mc/compose?to=drewhealey@gmail.com>
> >]
> > Sent: Tuesday, May 26, 2009 7:33 PM
> > To: activedir@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>
> <mailto:activedir@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>
> >
> > Subject: Re: [ActiveDir] Domain Admins Access
> >
> > I was simply trying to answer the chaps query. I am 100% in agreement
> > with you. It is a hack that could easily be worked around by anybody
> > who has an ounce of knowledge. If they have domain admin rights,
> > what's stopping them from removing the loopback? Hell, he could just
> > skip the loopback mess and add a logon script. It is all a hack. The
> > proper solution is to restrict the membership of "sensitive" groups.
> >
> > However, everybody seemed to be telling him that he needs to talk to
> > person x or solve it by fixing policy y or that certain group z wasn't
> > doing their job.
> >
> > His question was, "Is there a way to block DOMAIN ADMINS from logging
> > on to a DC and member servers?" I was simply trying to offer him a
> > way to make it happen.
> >
> > Thanks for the clarification though.
> >
> >
> > On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji
> > <deji@readymaids.com<http://us.mc01g.mail.yahoo.com/mc/compose?to=deji@readymaids.com>
> <mailto:deji@readymaids.com<http://us.mc01g.mail.yahoo.com/mc/compose?to=deji@readymaids.com>
> >>
> > wrote:
> >> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
> > you have provided below should not have been a Domain Admin in the first
> > place.
> >>
> >>
> >> Sincerely,
> >> _____
> >> (, / | /) /) /)
> >> /---| (/_ ______ ___// _ // _
> >> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> >> (_/ /)
> >> (/
> >> www.akomolafe.name<http://www.akomolafe.name> - we know IT
> >> -5.75, -3.23
> >> Do you now realize that Today is the Tomorrow you were worried about
> > Yesterday? -anon
> >> ________________________________________
> >> From:
> >> activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> <mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> >
> > [activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> <mailto:activedir-owner@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir-owner@mail.activedir.org>
> >]
> > On Behalf Of Andrew Healey
> > [drewhealey@gmail.com<http://us.mc01g.mail.yahoo.com/mc/compose?to=drewhealey@gmail.com>
> <mailto:drewhealey@gmail.com<http://us.mc01g.mail.yahoo.com/mc/compose?to=drewhealey@gmail.com>
> >]
> >> Sent: Tuesday, May 26, 2009 7:09 PM
> >> To: activedir@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>
> <mailto:activedir@mail.activedir.org<http://us.mc01g.mail.yahoo.com/mc/compose?to=activedir@mail.activedir.org>
> >
> >> Subject: Re: [ActiveDir] Domain Admins Access
> >>
> >> Loopback logon script for your domain controllers. Just have it check
> >> the UPN or sAMAccountName and force a log off as soon as they log on.
> >> You could even present them with a nice popup saying, "Have a nice
> >> day. Thanks for playing."
> >>
> >> The logic is easy:
> >>
> >> For Each admin in badAdmins
> >> If admin = logonName Then ForceLogoff
> >> Next
> >>
> >> In reality, those that have responded so far are correct. It sounds
> >> like your management and security personnel should be doing their jobs
> >> better. However, I guess it all depends on the situation. Just keep
> >> in mind Newton's laws of motion. Something like this could come back
> >> and bite you in the arse.
> >>
> >>
> >> Andrew J Healey
> >> http://halfloaded.com
> >>
> >>
> >>
> >> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul
> >> <patrickp@batelnet.bs<http://us.mc01g.mail.yahoo.com/mc/compose?to=patrickp@batelnet.bs>
> <mailto:patrickp@batelnet.bs<http://us.mc01g.mail.yahoo.com/mc/compose?to=patrickp@batelnet.bs>
> >>
> > wrote:
> >>> Is there a way to block DOMAIN ADMINS from logging on to a DC and
> member
> >>> servers?
> >>>
> >>>
> >>>
> >>> I know this is a strange question but the reason is simple when your
> > looking
> >>> at it from my perspective. I am responsible for DCs but other
> > administrators
> >>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
> > they
> >>> wish.
> >>>
> >>>
> >>>
> >>> Regards
> >>>
> >>> Patrick
> >
> >
>
> --
> Sent from my mobile device
>
>
>
| | | |
| listmail
Posts:822
| | 06/02/2009 1:36 AM |
| Yeah that is too many really, by my estimate by a factor of 3, especially
for such a small environment. I prefer to see 3-6 very knowledgeable people
with DA regardless of environment size. Everyone else gets delegated rights.
That being said, when you outsource your support to low cost regions you
tend to get more people in DA group with less individual knowledge (yes I
also think that is trending in the wrong direction for the wrong
reasons...).
The absolute best run AD I have come across in the last 10 years had 3
engineers (and 1 manager) with DA rights for roughly (at the time) 250,000
userids and over 300,000 machines.
When it really comes down to it, there seems to be very little true AD DA
work once a forest is established unless a company is in a state of massive
churn (like site/subnet changes, not OU changes, AD DAs shouldn't be
spending much energy on OU's IMOΏ]). It seems a lot of the work is stuff
tossed to DA's they shouldn't be doing in the first place (IMO) or they just
end up getting every little issue everyone else can't solve escalated to
them. This last is a result of poor quality Windows admins who don't know
how to troubleshoot, they know to click on things and change stuff until it
works and sometimes that just isn't enough... When I walk into a place, I
usually don't want to be a DA though people try to throw those rights at me.
For the most part, unless I am there to actually do the ops support I don't
need the rights. I didn't have DA in any production environment for nearly 4
years and solved all sorts of problems and was able to look at all sorts of
data.
joe
Ώ] Nor really any data population. AD DAs should be managing the service
and making sure AD is patched and functioning properly.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: Friday, May 29, 2009 6:38 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Serious question, is 9 DAs too many for 1200+ users? I think not.
2009/5/29 Gabriele Scolaro <gabro@gabro.net>
Agree. In my experience the main issue is around managers always seeking for
consensus.
It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
Another issue is that some managers have a weird vision of "risk": "It works
today, I don't care about tomorrow."
Gabriele.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: venerdì 29 maggio 2009 14.07
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
We are down to about 9 DA but I want a max of 3 - we are a small company
1250 employees but BOSSES and POLITICS
Thanks all for your replies.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, May 27, 2009 1:39 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
I understand what you are saying, but the correct answer to his poser is
simply "there is currently no known way".
His problem is not a technical one - it is a procedural (human) one that
could only be "Fixed" by non-technical means - at this time, at least.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
Sent: Tuesday, May 26, 2009 7:33 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I was simply trying to answer the chaps query. I am 100% in agreement
with you. It is a hack that could easily be worked around by anybody
who has an ounce of knowledge. If they have domain admin rights,
what's stopping them from removing the loopback? Hell, he could just
skip the loopback mess and add a logon script. It is all a hack. The
proper solution is to restrict the membership of "sensitive" groups.
However, everybody seemed to be telling him that he needs to talk to
person x or solve it by fixing policy y or that certain group z wasn't
doing their job.
His question was, "Is there a way to block DOMAIN ADMINS from logging
on to a DC and member servers?" I was simply trying to offer him a
way to make it happen.
Thanks for the clarification though.
On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com>
wrote:
> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
you have provided below should not have been a Domain Admin in the first
place.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
> Sent: Tuesday, May 26, 2009 7:09 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs>
wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>> servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
looking
>> at it from my perspective. I am responsible for DCs but other
administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
| | | |
| TG
Posts:298
| | 06/02/2009 1:40 AM |
| I am looking for a way to let a specific group of people to join devices
to the domain, but only to the list of Organizational Units that I want
the devices to be reside in.
Seemed simple. Grant the group rights to join workstations to the domain,
delegate the appropriate tasks on the Organizational Units and you are
good.
Hit a little snag. At the first blush I am not able to restrict adding
the computers to the default Organizational Unit (I have redirected
cn=computers to an Organizational Unit).
While there is no explicit permisions assigned to the group on that
Organizational Unit a member of the group can successfully join computers
into that default Organizational Unit. After removing Authenticated Users
and Pre-win2000 group from the ACL I get an error that SPN could not have
been written (even though neither both of them only had READ rights to
begin with), but the computer object is still created.
Is that something embedded in the code?
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
tony dot gordon at hewitt dot tld | www.hewitt.com
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
| Ravi.Sabharanjak@barclaysglobal.com
Posts:0
| | 06/02/2009 2:23 AM |
|
How do you redirect the cn=computers to an OU?
________________________________
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: Monday, June 01, 2009 3:21 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I am looking for a way to let a specific group of people to join devices
to the domain, but only to the list of Organizational Units that I want
the devices to be reside in.
Seemed simple. Grant the group rights to join workstations to the
domain, delegate the appropriate tasks on the Organizational Units and
you are good.
Hit a little snag. At the first blush I am not able to restrict adding
the computers to the default Organizational Unit (I have redirected
cn=computers to an Organizational Unit).
While there is no explicit permisions assigned to the group on that
Organizational Unit a member of the group can successfully join
computers into that default Organizational Unit. After removing
Authenticated Users and Pre-win2000 group from the ACL I get an error
that SPN could not have been written (even though neither both of them
only had READ rights to begin with), but the computer object is still
created.
Is that something embedded in the code?
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
tony dot gordon at hewitt dot tld | www.hewitt.com
________________________________
The information contained in this e-mail and any accompanying documents
may contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately
alert the sender by reply e-mail and then delete this message, including
any attachments. Any dissemination, distribution or other use of the
contents of this message by anyone other than the intended recipient is
strictly prohibited. All messages sent to and from this e-mail address
may be monitored as permitted by applicable law and regulations to
ensure compliance with our internal policies and to protect our
business. E-mails are not secure and cannot be guaranteed to be error
free as they can be intercepted, amended, lost or destroyed, or contain
viruses. You are deemed to have accepted these risks if you communicate
with us by e-mail.
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| slasitz
Posts:15
| | 06/02/2009 2:29 AM |
|
http://technet.microsoft.com/en-us/library/cc772903(WS.10).aspx
Steve
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI SF
Sent: Monday, June 01, 2009 9:23 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
How do you redirect the cn=computers to an OU?
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: Monday, June 01, 2009 3:21 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I am looking for a way to let a specific group of people to join devices to the domain, but only to the list of Organizational Units that I want the devices to be reside in.
Seemed simple. Grant the group rights to join workstations to the domain, delegate the appropriate tasks on the Organizational Units and you are good.
Hit a little snag. At the first blush I am not able to restrict adding the computers to the default Organizational Unit (I have redirected cn=computers to an Organizational Unit).
While there is no explicit permisions assigned to the group on that Organizational Unit a member of the group can successfully join computers into that default Organizational Unit. After removing Authenticated Users and Pre-win2000 group from the ACL I get an error that SPN could not have been written (even though neither both of them only had READ rights to begin with), but the computer object is still created.
Is that something embedded in the code?
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
tony dot gordon at hewitt dot tld | www.hewitt.com
________________________________
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| bdesmond
Posts:977
| | 06/02/2009 2:32 AM |
| Redircmp.exe or perhaps redrcmp (i forget). ws2003 feature
Brian Desmond from my phone
________________________________
From: Sabharanjak, Ravi BGI SF <Ravi.Sabharanjak@barclaysglobal.com>
Sent: Monday, June 01, 2009 6:25 PM
To: activedir@mail.activedir.org <activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Domain Admins Access
How do you redirect the cn=computers to an OU?
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: Monday, June 01, 2009 3:21 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I am looking for a way to let a specific group of people to join devices to the domain, but only to the list of Organizational Units that I want the devices to be reside in.
Seemed simple. Grant the group rights to join workstations to the domain, delegate the appropriate tasks on the Organizational Units and you are good.
Hit a little snag. At the first blush I am not able to restrict adding the computers to the default Organizational Unit (I have redirected cn=computers to an Organizational Unit).
While there is no explicit permisions assigned to the group on that Organizational Unit a member of the group can successfully join computers into that default Organizational Unit. After removing Authenticated Users and Pre-win2000 group from the ACL I get an error that SPN could not have been written (even though neither both of them only had READ rights to begin with), but the computer object is still created.
Is that something embedded in the code?
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
tony dot gordon at hewitt dot tld | www.hewitt.com
________________________________
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| DaemonRoot
Posts:122
| | 06/02/2009 2:40 AM |
| http://support.microsoft.com/kb/324949
Very useful stuff!
~D~
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, June 01, 2009 7:31 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
Redircmp.exe or perhaps redrcmp (i forget). ws2003 feature
Brian Desmond from my phone
_____
From: Sabharanjak, Ravi BGI SF <Ravi.Sabharanjak@barclaysglobal.com>
Sent: Monday, June 01, 2009 6:25 PM
To: activedir@mail.activedir.org <activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Domain Admins Access
How do you redirect the cn=computers to an OU?
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: Monday, June 01, 2009 3:21 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I am looking for a way to let a specific group of people to join devices to
the domain, but only to the list of Organizational Units that I want the
devices to be reside in.
Seemed simple. Grant the group rights to join workstations to the domain,
delegate the appropriate tasks on the Organizational Units and you are good.
Hit a little snag. At the first blush I am not able to restrict adding the
computers to the default Organizational Unit (I have redirected cn=computers
to an Organizational Unit).
While there is no explicit permisions assigned to the group on that
Organizational Unit a member of the group can successfully join computers
into that default Organizational Unit. After removing Authenticated Users
and Pre-win2000 group from the ACL I get an error that SPN could not have
been written (even though neither both of them only had READ rights to begin
with), but the computer object is still created.
Is that something embedded in the code?
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
tony dot gordon at hewitt dot tld | www.hewitt.com
_____
The information contained in this e-mail and any accompanying documents may
contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately alert
the sender by reply e-mail and then delete this message, including any
attachments. Any dissemination, distribution or other use of the contents of
this message by anyone other than the intended recipient is strictly
prohibited. All messages sent to and from this e-mail address may be
monitored as permitted by applicable law and regulations to ensure
compliance with our internal policies and to protect our business. E-mails
are not secure and cannot be guaranteed to be error free as they can be
intercepted, amended, lost or destroyed, or contain viruses. You are deemed
to have accepted these risks if you communicate with us by e-mail.
--
This message and any attachments are confidential, proprietary, and may be
privileged. If this message was misdirected, Barclays Global Investors
(BGI) does not waive any confidentiality or privilege. If you are not the
intended recipient, please notify us immediately and destroy the message
without disclosing its contents to anyone. Any distribution, use or copying
of this e-mail or the information it contains by other than an intended
recipient is unauthorized. The views and opinions expressed in this e-mail
message are the author's own and may not reflect the views and opinions of
BGI, unless the author is authorized by BGI to express such views or
opinions on its behalf. All email sent to or from this address is subject
to electronic storage and review by BGI. Although BGI operates anti-virus
programs, it does not accept responsibility for any damage whatsoever caused
by viruses being passed.
| | | |
| gabriel/tfi
Posts:425
| | 06/02/2009 8:29 PM |
| Hi Tony,
I am not able to restrict adding the computers to the default
Organizational Unit
, does this mean any Domain User can join a computer to
the domain and the computer object is created in that redirected OU by the
join process?
If thats the case, I would check:
a) Computer Configuration/Windows Settings/Security Settings/Local
Policies/User Right Assignement/Add Workstations to Domain
b) ms-DS-MachineAccountQuota attribute
(http://gabro.net/2009/02/everybody-can-join-up-to-10-computers-to-the-domai
n/)
Cheers Gabriele.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: martedì 2 giugno 2009 0.21
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I am looking for a way to let a specific group of people to join devices to
the domain, but only to the list of Organizational Units that I want the
devices to be reside in.
Seemed simple. Grant the group rights to join workstations to the domain,
delegate the appropriate tasks on the Organizational Units and you are good.
Hit a little snag. At the first blush I am not able to restrict adding the
computers to the default Organizational Unit (I have redirected cn=computers
to an Organizational Unit).
While there is no explicit permisions assigned to the group on that
Organizational Unit a member of the group can successfully join computers
into that default Organizational Unit. After removing Authenticated Users
and Pre-win2000 group from the ACL I get an error that SPN could not have
been written (even though neither both of them only had READ rights to begin
with), but the computer object is still created.
Is that something embedded in the code?
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
tony dot gordon at hewitt dot tld | www.hewitt.com
_____
The information contained in this e-mail and any accompanying documents may
contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately alert
the sender by reply e-mail and then delete this message, including any
attachments. Any dissemination, distribution or other use of the contents of
this message by anyone other than the intended recipient is strictly
prohibited. All messages sent to and from this e-mail address may be
monitored as permitted by applicable law and regulations to ensure
compliance with our internal policies and to protect our business. E-mails
are not secure and cannot be guaranteed to be error free as they can be
intercepted, amended, lost or destroyed, or contain viruses. You are deemed
to have accepted these risks if you communicate with us by e-mail.
| | | |
| gabriel/tfi
Posts:425
| | 06/02/2009 9:10 PM |
| Another thing that was in fashion many years ago, of course in small
companies, was if a certain app does not work, add the user to Domain
Admins group!
Gabriele.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: martedì 2 giugno 2009 0.01
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
Yeah that is too many really, by my estimate by a factor of 3, especially
for such a small environment. I prefer to see 3-6 very knowledgeable people
with DA regardless of environment size. Everyone else gets delegated rights.
That being said, when you outsource your support to low cost regions you
tend to get more people in DA group with less individual knowledge (yes I
also think that is trending in the wrong direction for the wrong
reasons...).
The absolute best run AD I have come across in the last 10 years had 3
engineers (and 1 manager) with DA rights for roughly (at the time) 250,000
userids and over 300,000 machines.
When it really comes down to it, there seems to be very little true AD DA
work once a forest is established unless a company is in a state of massive
churn (like site/subnet changes, not OU changes, AD DAs shouldn't be
spending much energy on OU's IMOΏ]). It seems a lot of the work is stuff
tossed to DA's they shouldn't be doing in the first place (IMO) or they just
end up getting every little issue everyone else can't solve escalated to
them. This last is a result of poor quality Windows admins who don't know
how to troubleshoot, they know to click on things and change stuff until it
works and sometimes that just isn't enough... When I walk into a place, I
usually don't want to be a DA though people try to throw those rights at me.
For the most part, unless I am there to actually do the ops support I don't
need the rights. I didn't have DA in any production environment for nearly 4
years and solved all sorts of problems and was able to look at all sorts of
data.
joe
Ώ] Nor really any data population. AD DAs should be managing the service
and making sure AD is patched and functioning properly.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
_____
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: Friday, May 29, 2009 6:38 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Serious question, is 9 DAs too many for 1200+ users? I think not.
2009/5/29 Gabriele Scolaro <gabro@gabro.net>
Agree. In my experience the main issue is around managers always seeking for
consensus.
It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
Another issue is that some managers have a weird vision of "risk": "It works
today, I don't care about tomorrow."
Gabriele.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: venerdì 29 maggio 2009 14.07
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
We are down to about 9 DA but I want a max of 3 - we are a small company
1250 employees but BOSSES and POLITICS
Thanks all for your replies.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, May 27, 2009 1:39 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
I understand what you are saying, but the correct answer to his poser is
simply "there is currently no known way".
His problem is not a technical one - it is a procedural (human) one that
could only be "Fixed" by non-technical means - at this time, at least.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
Sent: Tuesday, May 26, 2009 7:33 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I was simply trying to answer the chaps query. I am 100% in agreement
with you. It is a hack that could easily be worked around by anybody
who has an ounce of knowledge. If they have domain admin rights,
what's stopping them from removing the loopback? Hell, he could just
skip the loopback mess and add a logon script. It is all a hack. The
proper solution is to restrict the membership of "sensitive" groups.
However, everybody seemed to be telling him that he needs to talk to
person x or solve it by fixing policy y or that certain group z wasn't
doing their job.
His question was, "Is there a way to block DOMAIN ADMINS from logging
on to a DC and member servers?" I was simply trying to offer him a
way to make it happen.
Thanks for the clarification though.
On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com>
wrote:
> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
you have provided below should not have been a Domain Admin in the first
place.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
> Sent: Tuesday, May 26, 2009 7:09 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs>
wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>> servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
looking
>> at it from my perspective. I am responsible for DCs but other
administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
| | | |
| gossp13
Posts:7
| | 06/06/2009 3:43 PM |
| Tony - I have run into that same problem, the solution we came up with was
to set ms-DS-MachineAccountQuota attribute to 0. This forced everyone
(except DA's) to pre-create a computer object prior to joining the computer
to the domain. We then followed the same path of assigning computer ACLs on
specific OU's. The only catch was training the Desktop Admins to remember
to use their group when the pre-created computer object asked for delegation
rights. Works like a charm though, only accounts that are in the AD first
work, everyone else gets access denied.
-pat
On Mon, Jun 1, 2009 at 6:20 PM, Tony Gordon <Tony.Gordon@hewitt.com> wrote:
> I am looking for a way to let a specific group of people to join devices to
> the domain, but only to the list of Organizational Units that I want the
> devices to be reside in.
>
> Seemed simple. Grant the group rights to join workstations to the domain,
> delegate the appropriate tasks on the Organizational Units and you are good.
>
> Hit a little snag. At the first blush I am not able to restrict adding the
> computers to the default Organizational Unit (I have redirected cn=computers
> to an Organizational Unit).
>
> While there is no explicit permisions assigned to the group on that
> Organizational Unit a member of the group can successfully join computers
> into that default Organizational Unit. After removing Authenticated Users
> and Pre-win2000 group from the ACL I get an error that SPN could not have
> been written (even though neither both of them only had READ rights to begin
> with), but the computer object is still created.
>
> Is that something embedded in the code?
>
>
>
> Thank you, Tony.
>
> *Tony Gordon *
> Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
> ITS Infrastructure Engineering
> tony dot gordon at hewitt dot tld | www.hewitt.com
>
> ------------------------------
>
> The information contained in this e-mail and any accompanying documents may
> contain information that is confidential or otherwise protected from
> disclosure. If you are not the intended recipient of this message, or if
> this message has been addressed to you in error, please immediately alert
> the sender by reply e-mail and then delete this message, including any
> attachments. Any dissemination, distribution or other use of the contents of
> this message by anyone other than the intended recipient is strictly
> prohibited. All messages sent to and from this e-mail address may be
> monitored as permitted by applicable law and regulations to ensure
> compliance with our internal policies and to protect our business. E-mails
> are not secure and cannot be guaranteed to be error free as they can be
> intercepted, amended, lost or destroyed, or contain viruses. You are deemed
> to have accepted these risks if you communicate with us by e-mail.
| | | |
| TG
Posts:298
| | 06/08/2009 8:12 PM |
| Thanks Pat.
That does seem to work and I am considering that course of action.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
Tel 847.295.5000 x37892 | Fax 847.883.7892
tony dot gordon at hewitt dot tld
P Please consider the environment before printing this e-mail.
From:
"Pat Goss" <gossp13@gmail.com>
To:
activedir@mail.activedir.org
Date:
06/06/2009 09:40 AM
Subject:
Re: [ActiveDir] Domain Admins Access
Sent by:
activedir-owner@mail.activedir.org
Tony - I have run into that same problem, the solution we came up with was
to set ms-DS-MachineAccountQuota attribute to 0. This forced everyone
(except DA's) to pre-create a computer object prior to joining the
computer to the domain. We then followed the same path of assigning
computer ACLs on specific OU's. The only catch was training the Desktop
Admins to remember to use their group when the pre-created computer object
asked for delegation rights. Works like a charm though, only accounts
that are in the AD first work, everyone else gets access denied.
-pat
On Mon, Jun 1, 2009 at 6:20 PM, Tony Gordon <Tony.Gordon@hewitt.com>
wrote:
I am looking for a way to let a specific group of people to join devices
to the domain, but only to the list of Organizational Units that I want
the devices to be reside in.
Seemed simple. Grant the group rights to join workstations to the domain,
delegate the appropriate tasks on the Organizational Units and you are
good.
Hit a little snag. At the first blush I am not able to restrict adding
the computers to the default Organizational Unit (I have redirected
cn=computers to an Organizational Unit).
While there is no explicit permisions assigned to the group on that
Organizational Unit a member of the group can successfully join computers
into that default Organizational Unit. After removing Authenticated Users
and Pre-win2000 group from the ACL I get an error that SPN could not have
been written (even though neither both of them only had READ rights to
begin with), but the computer object is still created.
Is that something embedded in the code?
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
tony dot gordon at hewitt dot tld | www.hewitt.com
The information contained in this e-mail and any accompanying documents
may contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately alert
the sender by reply e-mail and then delete this message, including any
attachments. Any dissemination, distribution or other use of the contents
of this message by anyone other than the intended recipient is strictly
prohibited. All messages sent to and from this e-mail address may be
monitored as permitted by applicable law and regulations to ensure
compliance with our internal policies and to protect our business. E-mails
are not secure and cannot be guaranteed to be error free as they can be
intercepted, amended, lost or destroyed, or contain viruses. You are
deemed to have accepted these risks if you communicate with us by e-mail.
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
| LeslieTyson
Posts:15
| | 06/09/2009 5:38 PM |
| We suggested exactly that here, and the amount of overhead that it created (pre-creating all computer accounts) was deemed to be excessive. (Politics...) What we implemented instead was a GPO on the redirected Computers OU that forces a nag message to pop up every few minutes on the screen of every computer in the new default OU, informing them that their computer was in the wrong OU, and to call their local help desk. The message is only annoying - it doesn't log them out, reboot, or do anything that might prevent a person from working; it just bugs them.
That solved most of the problems.
Cheers,
Tyson.
Regards,
Tyson Leslie
Systems Architect
Group ICT Infrastructure and Architecture
WorleyParsons
Phone: +1 403 258 8153
Fax: +1 403 258 5899
Mobile: +1 403 861 3043
Email: Tyson.Leslie@WorleyParsons.com
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: Monday, June 08, 2009 1:09 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Thanks Pat.
That does seem to work and I am considering that course of action.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
Tel 847.295.5000 x37892 | Fax 847.883.7892
tony dot gordon at hewitt dot tld
P Please consider the environment before printing this e-mail.
From:
"Pat Goss" <gossp13@gmail.com>
To:
activedir@mail.activedir.org
Date:
06/06/2009 09:40 AM
Subject:
Re: [ActiveDir] Domain Admins Access
Sent by:
activedir-owner@mail.activedir.org
________________________________
Tony - I have run into that same problem, the solution we came up with was to set ms-DS-MachineAccountQuota attribute to 0. This forced everyone (except DA's) to pre-create a computer object prior to joining the computer to the domain. We then followed the same path of assigning computer ACLs on specific OU's. The only catch was training the Desktop Admins to remember to use their group when the pre-created computer object asked for delegation rights. Works like a charm though, only accounts that are in the AD first work, everyone else gets access denied.
-pat
On Mon, Jun 1, 2009 at 6:20 PM, Tony Gordon <Tony.Gordon@hewitt.com<mailto:Tony.Gordon@hewitt.com>> wrote:
I am looking for a way to let a specific group of people to join devices to the domain, but only to the list of Organizational Units that I want the devices to be reside in.
Seemed simple. Grant the group rights to join workstations to the domain, delegate the appropriate tasks on the Organizational Units and you are good.
Hit a little snag. At the first blush I am not able to restrict adding the computers to the default Organizational Unit (I have redirected cn=computers to an Organizational Unit).
While there is no explicit permisions assigned to the group on that Organizational Unit a member of the group can successfully join computers into that default Organizational Unit. After removing Authenticated Users and Pre-win2000 group from the ACL I get an error that SPN could not have been written (even though neither both of them only had READ rights to begin with), but the computer object is still created.
Is that something embedded in the code?
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
tony dot gordon at hewitt dot tld | www.hewitt.com<http://www.hewitt.com/>
________________________________
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
________________________________
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
*** WORLEYPARSONS GROUP NOTICE ***
"This email is confidential. If you are not the intended recipient, you must not disclose or use the information contained in it.
If you have received this email in error, please notify us immediately by return email and delete the email and any attachments.
Any personal views or opinions expressed by the writer may not
necessarily reflect the views or opinions of any company in the WorleyParsons Group of Companies."
| | | |
|
|