| Author | Messages | |
Patrick
Posts:18
 | | 05/26/2009 4:07 PM |
| Is there a way to block DOMAIN ADMINS from logging on to a DC and member
servers?
I know this is a strange question but the reason is simple when your looking
at it from my perspective. I am responsible for DCs but other administrators
with DOMAIN ADMIN accounts exist and are trespassing and doing whatever they
wish.
Regards
Patrick
| | | |
| CrawfordS
Posts:102
| | 05/26/2009 4:15 PM |
| Have you tried taking them out of the domain admins group?
<ducks>
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: Tuesday, May 26, 2009 9:58 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Admins Access
Is there a way to block DOMAIN ADMINS from logging on to a DC and member
servers?
I know this is a strange question but the reason is simple when your
looking at it from my perspective. I am responsible for DCs but other
administrators with DOMAIN ADMIN accounts exist and are trespassing and
doing whatever they wish.
Regards
Patrick
| | | |
| bsonposh
Posts:386
| | 05/26/2009 4:17 PM |
| - Determine what those admins really need access to.
- Creat a group that has that access.
- Add users to group.
- Remove users from DA grp.
That is your solution.
On 5/26/09, Patrick Paul <patrickp@batelnet.bs> wrote:
> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
> servers?
>
>
>
> I know this is a strange question but the reason is simple when your looking
> at it from my perspective. I am responsible for DCs but other administrators
> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever they
> wish.
>
>
>
> Regards
>
> Patrick
>
>
--
Sent from my mobile device
| | | |
| y2k1981
Posts:44
| | 05/26/2009 4:19 PM |
| Hi Patrick
I know exactly (or pretty well !) your predicament ! No, there's no way to
prevent domain admins from looking onto a DC. I think what you really need
to look at it why those users have domain admin rights in the first place ?
If they don't need to administer the DC's then they don't need domain admin
rights. Why not delegate them the necessary rights they require in AD
(reset passwords, create/delete user accounts etc) and give them local admin
on the member servers they need to administer. If they just need to
administer file shares (eg change NTFS permissions etc) then they don't need
ANY rights to logon to the file server - they just need the NTFS permissions
and can do this remotely by browsing to the share (creating shares is a
different issue however)
Delegation is a very broad topic, and each organisation's needs are
different, but if you sit down and start to think about what these guys
REALLY need access and start writing up some lists, you should be able to
come up with something. I had to do this just recently for our company and
we're still in the process of implementing it. I could go on but it'd take
hours !! One thing I will say however, is that logging onto servers opens
up the temptations to use them for non-admin tasks such as browsing the web
to investigate a problem etc. The less you logon to a server, the less
likely you are to break it . or worse still, infect it ! I'm not saying
you'll eliminate the risk but you'll certainly mitigate it I think
Good Luck !
Martin
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: 26 May 2009 15:58
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Admins Access
Is there a way to block DOMAIN ADMINS from logging on to a DC and member
servers?
I know this is a strange question but the reason is simple when your looking
at it from my perspective. I am responsible for DCs but other administrators
with DOMAIN ADMIN accounts exist and are trespassing and doing whatever they
wish.
Regards
Patrick
| | | |
| oz.ozugurlu
Posts:34
| | 05/26/2009 4:46 PM |
| I agree with Martin I been there as well (-:, below are my recommendations
similar to what he has mentioned
Unfortunately your hands are tied up.
You have no control over, given domain administrator privileges (out of your
hand and control and you cannot make any modification on the domain admin
list due to political reasons) yet you don’t want some of these people log
into domain controllers because you don’t trust them.
Honestly these people should not be giving more rights than what they need
to get the work done but again “Politics”
If you were running windows 2008 Domain controllers “*reliability monitor*”
could help you to track the changes if there would be any.
You could create “*Scheduled Task*” for specific users on the domain
controllers such below
1. If user A logs in on specific DC ------------à Log him off ( It works
flawless)
2. Take advantage of powerful scheduled task on windows 2008, hide the
task and let it run
3. Mine was working perfect , I ended up taking it out because of
politics (-:
4. Create Task to e-mail you when users logs in and prompt log in window
telling them know they are not suppose to make any changes, you log in
immediately and ask them why they have logged in, after a while they do
understand your are on top of it but, in reality it is impossible to log in
and ask everyone, but again you get e-mail each time someone logs in.
5. Document your configuration Sydi is Free (http://sydiproject.com/) so
you know what you have
You can compare it to make sure if there are any changes.
6. Keep track of reliability monitor the purpose of RM is to keep track
of changes.
7. If you can beat the politics use delegations and you never worry
about things getting changed and make sure there is some sort of change
management is in place.
The problem is not having strong change management or poor one in place and
domain administrators making changes on the domain controllers on the fly
and causing more troubles and headache fro people who are responsible to fix
them
Good luck,
Oz
On Tue, May 26, 2009 at 11:16 AM, Martin McDermott <
martin.mcdermott@exlayer.co.uk> wrote:
> Hi Patrick
>
>
>
> I know exactly (or pretty well !) your predicament ! No, there’s no way to
> prevent domain admins from looking onto a DC. I think what you really need
> to look at it why those users have domain admin rights in the first place ?
> If they don’t need to administer the DC’s then they don’t need domain admin
> rights. Why not delegate them the necessary rights they require in AD
> (reset passwords, create/delete user accounts etc) and give them local admin
> on the member servers they need to administer. If they just need to
> administer file shares (eg change NTFS permissions etc) then they don’t need
> ANY rights to logon to the file server – they just need the NTFS permissions
> and can do this remotely by browsing to the share (creating shares is a
> different issue however)
>
>
>
> Delegation is a very broad topic, and each organisation’s needs are
> different, but if you sit down and start to think about what these guys
> REALLY need access and start writing up some lists, you should be able to
> come up with something. I had to do this just recently for our company and
> we’re still in the process of implementing it. I could go on but it’d take
> hours !! One thing I will say however, is that logging onto servers opens
> up the temptations to use them for non-admin tasks such as browsing the web
> to investigate a problem etc. The less you logon to a server, the less
> likely you are to break it … or worse still, infect it ! I’m not saying
> you’ll eliminate the risk but you’ll certainly mitigate it I think
>
>
>
> Good Luck !
>
> Martin
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Patrick Paul
> *Sent:* 26 May 2009 15:58
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] Domain Admins Access
>
>
>
> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
> servers?
>
>
>
> I know this is a strange question but the reason is simple when your
> looking at it from my perspective. I am responsible for DCs but other
> administrators with DOMAIN ADMIN accounts exist and are trespassing and
> doing whatever they wish.
>
>
>
> Regards
>
> Patrick
>
--
Oz Casey Dedeal
Systems Engineer
MVP — (Exchange)
MCITP (EMA) ,MCITP(EA),MCITP(SA),
MCSE 2003| M+| S+ | MCDST
Security+|Project+| Server+|
oz@SMTp25.org
http://smtp25.blogspot.com (Blog)
http://telnet25.wordpress.com/ (Blog)
http://telnet25.spaces.live.com/ (Blog)
| | | |
| neil.ruston@credit-suisse.com
Posts:88
| | 05/26/2009 5:26 PM |
| 1. Trust your service admins
If you don't trust em, don't grant em rights
2. Manage your service admins group memberships
Restrict membership to a bare minimum and review regularly
3. Monitor your service admins
Use sec mon tools to capture and report on all service admin-like
activities
Most of the above requires process and not technology J
neil
Neil Ruston
CREDIT SUISSE
+44 (0) 20 7883 3779
* neil.ruston@credit-suisse.com
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: 26 May 2009 15:58
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Admins Access
Is there a way to block DOMAIN ADMINS from logging on to a DC and member
servers?
I know this is a strange question but the reason is simple when your
looking at it from my perspective. I am responsible for DCs but other
administrators with DOMAIN ADMIN accounts exist and are trespassing and
doing whatever they wish.
Regards
Patrick
===============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
===============================================================================
| | | |
| listmail
Posts:763
| | 05/26/2009 10:47 PM |
| Kick them out.
Admins are gods on the boxes they have admin rights on, you can't
effectively block them from much of anything. If you don't trust them, they
shouldn't have the rights in the first place. Likely they don't need the
rights anyway. Someone was just lazy and went that route. If you have people
who have domain admin rights (or any level admin rights on DCs) and their
job isn't specifically to keep the domain controllers running correctly,
your security people aren't doing their job properly.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: Tuesday, May 26, 2009 9:58 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Admins Access
Is there a way to block DOMAIN ADMINS from logging on to a DC and member
servers?
I know this is a strange question but the reason is simple when your looking
at it from my perspective. I am responsible for DCs but other administrators
with DOMAIN ADMIN accounts exist and are trespassing and doing whatever they
wish.
Regards
Patrick
| | | |
| mctbill
Posts:12
| | 05/27/2009 1:52 AM |
| Indeed.
We went through this when we went from NT 4.0 to AD. We asked every single
person what they really needed domain admins right for, and virtually every
one of them outside my group said "I have to add and remove computers from
the domain." That was it.
We delegated that right to a new universal group, added those people to that
group in the appropriate domain, and removed their DA rights. We also
removed the ability for any user to add machines, long before that. We're
following joe's model of under a dozen domain admins now, and I'm cutting
that again this year to 9, possibly 8. The original number was well over
200 people, about ten years ago.
You have a Layer 9 problem, and I have empathy for you, having been there.
But if you throw them that tiny little bone so they can do their job, it may
work for you. Of course, if they exceed that, it's always great to put a
few heads on pikes outside the building, to discourage the others.
If they demur, and insist they need those rights, let them do the next
burflags recovery you have to perform. It will change their mind.
Best of luck to you.
Bill
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, May 26, 2009 4:46 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
Kick them out.
Admins are gods on the boxes they have admin rights on, you can't
effectively block them from much of anything. If you don't trust them, they
shouldn't have the rights in the first place. Likely they don't need the
rights anyway. Someone was just lazy and went that route. If you have people
who have domain admin rights (or any level admin rights on DCs) and their
job isn't specifically to keep the domain controllers running correctly,
your security people aren't doing their job properly.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: Tuesday, May 26, 2009 9:58 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain Admins Access
Is there a way to block DOMAIN ADMINS from logging on to a DC and member
servers?
I know this is a strange question but the reason is simple when your looking
at it from my perspective. I am responsible for DCs but other administrators
with DOMAIN ADMIN accounts exist and are trespassing and doing whatever they
wish.
Regards
Patrick
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.339 / Virus Database: 270.12.39/2134 - Release Date: 05/25/09
18:14:00
| | | |
| halfloaded
Posts:0
| | 05/27/2009 3:11 AM |
| Loopback logon script for your domain controllers. Just have it check
the UPN or sAMAccountName and force a log off as soon as they log on.
You could even present them with a nice popup saying, "Have a nice
day. Thanks for playing."
The logic is easy:
For Each admin in badAdmins
If admin = logonName Then ForceLogoff
Next
In reality, those that have responded so far are correct. It sounds
like your management and security personnel should be doing their jobs
better. However, I guess it all depends on the situation. Just keep
in mind Newton's laws of motion. Something like this could come back
and bite you in the arse.
Andrew J Healey
http://halfloaded.com
On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
> servers?
>
>
>
> I know this is a strange question but the reason is simple when your looking
> at it from my perspective. I am responsible for DCs but other administrators
> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever they
> wish.
>
>
>
> Regards
>
> Patrick
| | | |
| deji
Posts:259
| | 05/27/2009 3:17 AM |
| ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix" you have provided below should not have been a Domain Admin in the first place.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey [drewhealey@gmail.com]
Sent: Tuesday, May 26, 2009 7:09 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Loopback logon script for your domain controllers. Just have it check
the UPN or sAMAccountName and force a log off as soon as they log on.
You could even present them with a nice popup saying, "Have a nice
day. Thanks for playing."
The logic is easy:
For Each admin in badAdmins
If admin = logonName Then ForceLogoff
Next
In reality, those that have responded so far are correct. It sounds
like your management and security personnel should be doing their jobs
better. However, I guess it all depends on the situation. Just keep
in mind Newton's laws of motion. Something like this could come back
and bite you in the arse.
Andrew J Healey
http://halfloaded.com
On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
> servers?
>
>
>
> I know this is a strange question but the reason is simple when your looking
> at it from my perspective. I am responsible for DCs but other administrators
> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever they
> wish.
>
>
>
> Regards
>
> Patrick | | | |
| halfloaded
Posts:0
| | 05/27/2009 3:29 AM |
| Also, keep in mind this will not prevent them from accessing the
server via other means. But, it will answer you question which was
how to keep them from logging into you DC's. If you want more
information on loopback policies, google is your friend:
http://www.google.com/search?q=loopback+processing+gpo
You could get really fancy and have a text file with all the logon
names you want to force a log off to. Or, you could just create an
array. Either way, here is, form memory, what you would want to do to
force a logoff.
Dim WshShell
Set WshShell=WScript.CreateObject("WScript.Shell")
WshShell.run "shutdown /l /f /t 0"
Of course, test this first since I am just typing from the bar.
Cheers!
Andrew J Healey
http://halfloaded.com
| | | |
| halfloaded
Posts:0
| | 05/27/2009 3:35 AM |
| I was simply trying to answer the chaps query. I am 100% in agreement
with you. It is a hack that could easily be worked around by anybody
who has an ounce of knowledge. If they have domain admin rights,
what's stopping them from removing the loopback? Hell, he could just
skip the loopback mess and add a logon script. It is all a hack. The
proper solution is to restrict the membership of "sensitive" groups.
However, everybody seemed to be telling him that he needs to talk to
person x or solve it by fixing policy y or that certain group z wasn't
doing their job.
His question was, "Is there a way to block DOMAIN ADMINS from logging
on to a DC and member servers?" I was simply trying to offer him a
way to make it happen.
Thanks for the clarification though.
On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com> wrote:
> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix" you have provided below should not have been a Domain Admin in the first place.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey [drewhealey@gmail.com]
> Sent: Tuesday, May 26, 2009 7:09 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>> servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your looking
>> at it from my perspective. I am responsible for DCs but other administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
| | | |
| deji
Posts:259
| | 05/27/2009 6:42 AM |
| I understand what you are saying, but the correct answer to his poser is simply "there is currently no known way".
His problem is not a technical one - it is a procedural (human) one that could only be "Fixed" by non-technical means - at this time, at least.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey [drewhealey@gmail.com]
Sent: Tuesday, May 26, 2009 7:33 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I was simply trying to answer the chaps query. I am 100% in agreement
with you. It is a hack that could easily be worked around by anybody
who has an ounce of knowledge. If they have domain admin rights,
what's stopping them from removing the loopback? Hell, he could just
skip the loopback mess and add a logon script. It is all a hack. The
proper solution is to restrict the membership of "sensitive" groups.
However, everybody seemed to be telling him that he needs to talk to
person x or solve it by fixing policy y or that certain group z wasn't
doing their job.
His question was, "Is there a way to block DOMAIN ADMINS from logging
on to a DC and member servers?" I was simply trying to offer him a
way to make it happen.
Thanks for the clarification though.
On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com> wrote:
> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix" you have provided below should not have been a Domain Admin in the first place.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org [activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey [drewhealey@gmail.com]
> Sent: Tuesday, May 26, 2009 7:09 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>> servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your looking
>> at it from my perspective. I am responsible for DCs but other administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick | | | |
| Patrick
Posts:18
| | 05/29/2009 1:15 PM |
| We are down to about 9 DA but I want a max of 3 - we are a small company
1250 employees but BOSSES and POLITICS 
Thanks all for your replies.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, May 27, 2009 1:39 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
I understand what you are saying, but the correct answer to his poser is
simply "there is currently no known way".
His problem is not a technical one - it is a procedural (human) one that
could only be "Fixed" by non-technical means - at this time, at least.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
Sent: Tuesday, May 26, 2009 7:33 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I was simply trying to answer the chaps query. I am 100% in agreement
with you. It is a hack that could easily be worked around by anybody
who has an ounce of knowledge. If they have domain admin rights,
what's stopping them from removing the loopback? Hell, he could just
skip the loopback mess and add a logon script. It is all a hack. The
proper solution is to restrict the membership of "sensitive" groups.
However, everybody seemed to be telling him that he needs to talk to
person x or solve it by fixing policy y or that certain group z wasn't
doing their job.
His question was, "Is there a way to block DOMAIN ADMINS from logging
on to a DC and member servers?" I was simply trying to offer him a
way to make it happen.
Thanks for the clarification though.
On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com>
wrote:
> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
you have provided below should not have been a Domain Admin in the first
place.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
> Sent: Tuesday, May 26, 2009 7:09 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs>
wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>> servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
looking
>> at it from my perspective. I am responsible for DCs but other
administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
| | | |
| gabriel/tfi
Posts:381
| | 05/29/2009 11:35 PM |
| Agree. In my experience the main issue is around managers always seeking for
consensus.
It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
Another issue is that some managers have a weird vision of "risk": "It works
today, I don't care about tomorrow."
Gabriele.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: venerdì 29 maggio 2009 14.07
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
We are down to about 9 DA but I want a max of 3 - we are a small company
1250 employees but BOSSES and POLITICS
Thanks all for your replies.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, May 27, 2009 1:39 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
I understand what you are saying, but the correct answer to his poser is
simply "there is currently no known way".
His problem is not a technical one - it is a procedural (human) one that
could only be "Fixed" by non-technical means - at this time, at least.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
Sent: Tuesday, May 26, 2009 7:33 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I was simply trying to answer the chaps query. I am 100% in agreement
with you. It is a hack that could easily be worked around by anybody
who has an ounce of knowledge. If they have domain admin rights,
what's stopping them from removing the loopback? Hell, he could just
skip the loopback mess and add a logon script. It is all a hack. The
proper solution is to restrict the membership of "sensitive" groups.
However, everybody seemed to be telling him that he needs to talk to
person x or solve it by fixing policy y or that certain group z wasn't
doing their job.
His question was, "Is there a way to block DOMAIN ADMINS from logging
on to a DC and member servers?" I was simply trying to offer him a
way to make it happen.
Thanks for the clarification though.
On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com>
wrote:
> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
you have provided below should not have been a Domain Admin in the first
place.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
> Sent: Tuesday, May 26, 2009 7:09 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs>
wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>> servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
looking
>> at it from my perspective. I am responsible for DCs but other
administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
| | | |
| andrew
Posts:77
| | 05/29/2009 11:39 PM |
| Serious question, is 9 DAs too many for 1200+ users? I think not.
2009/5/29 Gabriele Scolaro <gabro@gabro.net>
> Agree. In my experience the main issue is around managers always seeking
> for
> consensus.
> It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
> Another issue is that some managers have a weird vision of "risk": "It
> works
> today, I don't care about tomorrow."
>
> Gabriele.
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
> Sent: venerdì 29 maggio 2009 14.07
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Domain Admins Access
>
> We are down to about 9 DA but I want a max of 3 - we are a small company
> 1250 employees but BOSSES and POLITICS
> Thanks all for your replies.
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
> Sent: Wednesday, May 27, 2009 1:39 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Domain Admins Access
>
> I understand what you are saying, but the correct answer to his poser is
> simply "there is currently no known way".
>
> His problem is not a technical one - it is a procedural (human) one that
> could only be "Fixed" by non-technical means - at this time, at least.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org
> [activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
> [drewhealey@gmail.com]
> Sent: Tuesday, May 26, 2009 7:33 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> I was simply trying to answer the chaps query. I am 100% in agreement
> with you. It is a hack that could easily be worked around by anybody
> who has an ounce of knowledge. If they have domain admin rights,
> what's stopping them from removing the loopback? Hell, he could just
> skip the loopback mess and add a logon script. It is all a hack. The
> proper solution is to restrict the membership of "sensitive" groups.
>
> However, everybody seemed to be telling him that he needs to talk to
> person x or solve it by fixing policy y or that certain group z wasn't
> doing their job.
>
> His question was, "Is there a way to block DOMAIN ADMINS from logging
> on to a DC and member servers?" I was simply trying to offer him a
> way to make it happen.
>
> Thanks for the clarification though.
>
>
> On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com>
> wrote:
> > ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
> you have provided below should not have been a Domain Admin in the first
> place.
> >
> >
> > Sincerely,
> > _____
> > (, / | /) /) /)
> > /---| (/_ ______ ___// _ // _
> > ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> > (_/ /)
> > (/
> > www.akomolafe.name - we know IT
> > -5.75, -3.23
> > Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
> > ________________________________________
> > From: activedir-owner@mail.activedir.org
> [activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
> [drewhealey@gmail.com]
> > Sent: Tuesday, May 26, 2009 7:09 PM
> > To: activedir@mail.activedir.org
> > Subject: Re: [ActiveDir] Domain Admins Access
> >
> > Loopback logon script for your domain controllers. Just have it check
> > the UPN or sAMAccountName and force a log off as soon as they log on.
> > You could even present them with a nice popup saying, "Have a nice
> > day. Thanks for playing."
> >
> > The logic is easy:
> >
> > For Each admin in badAdmins
> > If admin = logonName Then ForceLogoff
> > Next
> >
> > In reality, those that have responded so far are correct. It sounds
> > like your management and security personnel should be doing their jobs
> > better. However, I guess it all depends on the situation. Just keep
> > in mind Newton's laws of motion. Something like this could come back
> > and bite you in the arse.
> >
> >
> > Andrew J Healey
> > http://halfloaded.com
> >
> >
> >
> > On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs>
> wrote:
> >> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
> >> servers?
> >>
> >>
> >>
> >> I know this is a strange question but the reason is simple when your
> looking
> >> at it from my perspective. I am responsible for DCs but other
> administrators
> >> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
> they
> >> wish.
> >>
> >>
> >>
> >> Regards
> >>
> >> Patrick
>
>
>
| | | |
| bdesmond
Posts:843
| | 05/29/2009 11:43 PM |
| Yes probably
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: Friday, May 29, 2009 5:38 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Serious question, is 9 DAs too many for 1200+ users? I think not.
2009/5/29 Gabriele Scolaro <gabro@gabro.net<mailto:gabro@gabro.net>>
Agree. In my experience the main issue is around managers always seeking for
consensus.
It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
Another issue is that some managers have a weird vision of "risk": "It works
today, I don't care about tomorrow."
Gabriele.
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Patrick Paul
Sent: venerdì 29 maggio 2009 14.07
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Domain Admins Access
We are down to about 9 DA but I want a max of 3 - we are a small company
1250 employees but BOSSES and POLITICS
Thanks all for your replies.
-----Original Message-----
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Akomolafe, Deji
Sent: Wednesday, May 27, 2009 1:39 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Domain Admins Access
I understand what you are saying, but the correct answer to his poser is
simply "there is currently no known way".
His problem is not a technical one - it is a procedural (human) one that
could only be "Fixed" by non-technical means - at this time, at least.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name<http://www.akomolafe.name> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Andrew Healey
[drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
Sent: Tuesday, May 26, 2009 7:33 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: Re: [ActiveDir] Domain Admins Access
I was simply trying to answer the chaps query. I am 100% in agreement
with you. It is a hack that could easily be worked around by anybody
who has an ounce of knowledge. If they have domain admin rights,
what's stopping them from removing the loopback? Hell, he could just
skip the loopback mess and add a logon script. It is all a hack. The
proper solution is to restrict the membership of "sensitive" groups.
However, everybody seemed to be telling him that he needs to talk to
person x or solve it by fixing policy y or that certain group z wasn't
doing their job.
His question was, "Is there a way to block DOMAIN ADMINS from logging
on to a DC and member servers?" I was simply trying to offer him a
way to make it happen.
Thanks for the clarification though.
On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com<mailto:deji@readymaids.com>>
wrote:
> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
you have provided below should not have been a Domain Admin in the first
place.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name> - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
[activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Andrew Healey
[drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
> Sent: Tuesday, May 26, 2009 7:09 PM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs<mailto:patrickp@batelnet.bs>>
wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>> servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
looking
>> at it from my perspective. I am responsible for DCs but other
administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
| | | |
| Ravi.Sabharanjak@barclaysglobal.com
Posts:0
| | 05/30/2009 12:01 AM |
|
2 per region is more than enough. You shouldn't be making more changes than what these guys can keep track of overall...
________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Friday, May 29, 2009 3:41 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
Yes probably
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: Friday, May 29, 2009 5:38 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Serious question, is 9 DAs too many for 1200+ users? I think not.
2009/5/29 Gabriele Scolaro <gabro@gabro.net>
Agree. In my experience the main issue is around managers always seeking for
consensus.
It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
Another issue is that some managers have a weird vision of "risk": "It works
today, I don't care about tomorrow."
Gabriele.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: venerdì 29 maggio 2009 14.07
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
We are down to about 9 DA but I want a max of 3 - we are a small company
1250 employees but BOSSES and POLITICS
Thanks all for your replies.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, May 27, 2009 1:39 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
I understand what you are saying, but the correct answer to his poser is
simply "there is currently no known way".
His problem is not a technical one - it is a procedural (human) one that
could only be "Fixed" by non-technical means - at this time, at least.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
Sent: Tuesday, May 26, 2009 7:33 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I was simply trying to answer the chaps query. I am 100% in agreement
with you. It is a hack that could easily be worked around by anybody
who has an ounce of knowledge. If they have domain admin rights,
what's stopping them from removing the loopback? Hell, he could just
skip the loopback mess and add a logon script. It is all a hack. The
proper solution is to restrict the membership of "sensitive" groups.
However, everybody seemed to be telling him that he needs to talk to
person x or solve it by fixing policy y or that certain group z wasn't
doing their job.
His question was, "Is there a way to block DOMAIN ADMINS from logging
on to a DC and member servers?" I was simply trying to offer him a
way to make it happen.
Thanks for the clarification though.
On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com>
wrote:
> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
you have provided below should not have been a Domain Admin in the first
place.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
> Sent: Tuesday, May 26, 2009 7:09 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs>
wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>> servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
looking
>> at it from my perspective. I am responsible for DCs but other
administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| mcasey
Posts:49
| | 05/30/2009 12:06 AM |
| I agree. Only about 3 people really perform tasks that require DA
access where I am for forest with roughly 11000 user objects. The rest
of the tasks can and should be done with much less access. Don't
bother asking me how many DAs we actually have though, I will have to
reach for another drink 
On 5/29/09, Brian Desmond <brian@briandesmond.com> wrote:
> Yes probably
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
> Sent: Friday, May 29, 2009 5:38 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Serious question, is 9 DAs too many for 1200+ users? I think not.
>
> 2009/5/29 Gabriele Scolaro <gabro@gabro.net<mailto:gabro@gabro.net>>
> Agree. In my experience the main issue is around managers always seeking for
> consensus.
> It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
> Another issue is that some managers have a weird vision of "risk": "It works
> today, I don't care about tomorrow."
>
> Gabriele.
>
> -----Original Message-----
> From:
> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Patrick Paul
> Sent: venerdì 29 maggio 2009 14.07
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] Domain Admins Access
>
> We are down to about 9 DA but I want a max of 3 - we are a small company
> 1250 employees but BOSSES and POLITICS
> Thanks all for your replies.
>
> -----Original Message-----
> From:
> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Akomolafe, Deji
> Sent: Wednesday, May 27, 2009 1:39 AM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: RE: [ActiveDir] Domain Admins Access
>
> I understand what you are saying, but the correct answer to his poser is
> simply "there is currently no known way".
>
> His problem is not a technical one - it is a procedural (human) one that
> could only be "Fixed" by non-technical means - at this time, at least.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name<http://www.akomolafe.name> - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
> ________________________________________
> From:
> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Andrew Healey
> [drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
> Sent: Tuesday, May 26, 2009 7:33 PM
> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
> Subject: Re: [ActiveDir] Domain Admins Access
>
> I was simply trying to answer the chaps query. I am 100% in agreement
> with you. It is a hack that could easily be worked around by anybody
> who has an ounce of knowledge. If they have domain admin rights,
> what's stopping them from removing the loopback? Hell, he could just
> skip the loopback mess and add a logon script. It is all a hack. The
> proper solution is to restrict the membership of "sensitive" groups.
>
> However, everybody seemed to be telling him that he needs to talk to
> person x or solve it by fixing policy y or that certain group z wasn't
> doing their job.
>
> His question was, "Is there a way to block DOMAIN ADMINS from logging
> on to a DC and member servers?" I was simply trying to offer him a
> way to make it happen.
>
> Thanks for the clarification though.
>
>
> On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji
> <deji@readymaids.com<mailto:deji@readymaids.com>>
> wrote:
>> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
> you have provided below should not have been a Domain Admin in the first
> place.
>>
>>
>> Sincerely,
>> _____
>> (, / | /) /) /)
>> /---| (/_ ______ ___// _ // _
>> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
>> (_/ /)
>> (/
>> www.akomolafe.name<http://www.akomolafe.name> - we know IT
>> -5.75, -3.23
>> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday? -anon
>> ________________________________________
>> From:
>> activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>
> [activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>]
> On Behalf Of Andrew Healey
> [drewhealey@gmail.com<mailto:drewhealey@gmail.com>]
>> Sent: Tuesday, May 26, 2009 7:09 PM
>> To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
>> Subject: Re: [ActiveDir] Domain Admins Access
>>
>> Loopback logon script for your domain controllers. Just have it check
>> the UPN or sAMAccountName and force a log off as soon as they log on.
>> You could even present them with a nice popup saying, "Have a nice
>> day. Thanks for playing."
>>
>> The logic is easy:
>>
>> For Each admin in badAdmins
>> If admin = logonName Then ForceLogoff
>> Next
>>
>> In reality, those that have responded so far are correct. It sounds
>> like your management and security personnel should be doing their jobs
>> better. However, I guess it all depends on the situation. Just keep
>> in mind Newton's laws of motion. Something like this could come back
>> and bite you in the arse.
>>
>>
>> Andrew J Healey
>> http://halfloaded.com
>>
>>
>>
>> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul
>> <patrickp@batelnet.bs<mailto:patrickp@batelnet.bs>>
> wrote:
>>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>>> servers?
>>>
>>>
>>>
>>> I know this is a strange question but the reason is simple when your
> looking
>>> at it from my perspective. I am responsible for DCs but other
> administrators
>>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
> they
>>> wish.
>>>
>>>
>>>
>>> Regards
>>>
>>> Patrick
>
>
>
--
Sent from my mobile device
| | | |
| gabriel/tfi
Posts:381
| | 05/30/2009 12:18 AM |
| If you have delegation of administrative tasks in place by means of ACLing
AD or a proxy application and designated teams are enabled to manage
desktops and servers, think about how often DA/EA privs are really needed
mainly for promote/demote/troubleshoot DCs, less often for other activities
such as AD topology (sites/subnets) change, DNS change, OU design change,
GPO change
etc
Yes, I believe 9 EA/DAs are too many, 2 or 3 are enough for most scenarios.
Gabriele.
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: sabato 30 maggio 2009 0.38
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Serious question, is 9 DAs too many for 1200+ users? I think not.
2009/5/29 Gabriele Scolaro <gabro@gabro.net>
Agree. In my experience the main issue is around managers always seeking for
consensus.
It's easier to say "YES" do 9 DAs than saying "NO" to 6 (ex)DAs.
Another issue is that some managers have a weird vision of "risk": "It works
today, I don't care about tomorrow."
Gabriele.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: venerdì 29 maggio 2009 14.07
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
We are down to about 9 DA but I want a max of 3 - we are a small company
1250 employees but BOSSES and POLITICS
Thanks all for your replies.
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Akomolafe, Deji
Sent: Wednesday, May 27, 2009 1:39 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
I understand what you are saying, but the correct answer to his poser is
simply "there is currently no known way".
His problem is not a technical one - it is a procedural (human) one that
could only be "Fixed" by non-technical means - at this time, at least.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
www.akomolafe.name - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________________
From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
Sent: Tuesday, May 26, 2009 7:33 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
I was simply trying to answer the chaps query. I am 100% in agreement
with you. It is a hack that could easily be worked around by anybody
who has an ounce of knowledge. If they have domain admin rights,
what's stopping them from removing the loopback? Hell, he could just
skip the loopback mess and add a logon script. It is all a hack. The
proper solution is to restrict the membership of "sensitive" groups.
However, everybody seemed to be telling him that he needs to talk to
person x or solve it by fixing policy y or that certain group z wasn't
doing their job.
His question was, "Is there a way to block DOMAIN ADMINS from logging
on to a DC and member servers?" I was simply trying to offer him a
way to make it happen.
Thanks for the clarification though.
On Tue, May 26, 2009 at 7:14 PM, Akomolafe, Deji <deji@readymaids.com>
wrote:
> ANY Domain Admin whose attempt to log onto a DC is defeated by the "fix"
you have provided below should not have been a Domain Admin in the first
place.
>
>
> Sincerely,
> _____
> (, / | /) /) /)
> /---| (/_ ______ ___// _ // _
> ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
> (_/ /)
> (/
> www.akomolafe.name - we know IT
> -5.75, -3.23
> Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
> ________________________________________
> From: activedir-owner@mail.activedir.org
[activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
[drewhealey@gmail.com]
> Sent: Tuesday, May 26, 2009 7:09 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs>
wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
>> servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
looking
>> at it from my perspective. I am responsible for DCs but other
administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
| | | |
|
|