Announcement

Collapse
No announcement yet.

Active Directory security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory security

    Good morning all

    if i disable an accout in AD, how do i prevent someone going in and enabling it again so documents can be retrived and then turned off

    Thanks

  • #2
    Re: Active Directory security

    Only people who have permission should be able to un-disable the account. If you dont trust them then they shouldn't have the permissions they have.

    Or, You could create an OU and delegate permissions to yourself (and other trusted admins) and then move the user accounts into that OU once you have disabled them. That way only you have permissions over the user objects.

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: Active Directory security

      Micheal,
      Thanks for your reply. but the problem is an Manager is leaving. but there friend is the IT admin. i will disable the account so they are unable to login to the account. but can i put something in place so it will (1) show me who does access the account (2) not give access out.

      it is a very sensative area. and i do not with them to know that i would be aware if anyone access the account.

      Comment


      • #4
        Re: Active Directory security

        1 ) If "The IT Admin" is your superior and he is behaving inappropriately then you need to report it over his head, not take your own action to prevent him (which he will undo).

        2 ) Auditing can be set on the Manager's user account - you can audit the "Write all properties" event and every time someone changes something about that account an event will be written to the Event Log. THERE IS NO WAY TO HIDE THIS.

        3 ) As someone above said, put the user's account into an OU that the IT Admin doesn't have access to; however if he is a Domain Admin he will simply be able to take ownership and remove the permissions, EVEN IF THERE IS A SPECIFIC DENY.

        Really - the best bet is to report it and wash your hands of it. Oh - and change your password - that way only you can use your account.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Active Directory security

          You could enable auditing so you would have a log of what was done and by who.

          Also share your concerns with another management member who you can trust and email any discussions so there is a record of what you talk about. Rule 1 is protect yourself. Change the password before you disable it so if it is re-enabled they won't be able to logon. Just throws a little kink into the works.
          11 was a racehorse.
          22 was 12
          1111 race 1 day
          22112


          ************************************************** * ************************************************** ***********
          ** Remember to give credit where credit is due and click the LIKE option in the bottom right corner **
          ************************************************** ************************************************** ****** * *****

          Comment


          • #6
            Re: Active Directory security

            Thanks for the replies, i will do the simple one and change the password then disable the account. i will then know it the account has beed activeated or not.

            How do i enable auditing

            Comment


            • #7
              Re: Active Directory security

              There is ample information about this on the t'internet.

              Here is some to get you going:

              http://www.windowsecurity.com/articl...-Auditing.html
              Michael Armstrong
              www.m80arm.co.uk
              MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

              ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

              Comment

              Working...
              X