Announcement

Collapse
No announcement yet.

Security permissions for Domain admins group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security permissions for Domain admins group

    Hi.

    For some odd requirement, I have to give a particular security group to allow membership modification on "Domain\Domain Admins" group. I went to the security of "Domain Admins" object and added my group with required privileges. But the problem here is after some time I found that changes I made are reverted back. To confirm that it is not problem with my production domain, I did the same in a fresh domain in my test lab and results are same.

    Any one knows that it is a default behavior? Please let me know if you have any thoughts. If it is default behavior, can some help me how to achieve my task?

    Thanks,
    Sitaram
    Last edited by charlsteve; 14th February 2008, 06:50.

  • #2
    Re: Security permissions for Domain admins group

    Do a search on MSKB for "AdminSDHolder"

    Theres a built in function in AD that will strip non-default permissions from certain groups at a regular interval.

    If you want permissions to remain you need to modify the AdminSDHolder template.

    Comment


    • #3
      Re: Security permissions for Domain admins group

      Yes, That's AdminSDholder which is causing the same:

      http://support.microsoft.com/kb/232199/

      http://support.microsoft.com/kb/318180/

      Regards,
      Kapil Sharma
      ~~~~~~~~~~~~~
      Life is too short, Enjoy It.

      Comment


      • #4
        Re: Security permissions for Domain admins group

        Thanks for all your help you have provided.

        I am understood the functionality of "adminSDholder" object. If I change ACLs on this objects, the same will be replicated to all protected objects, which I don't want to happen.

        My aim to add custom ACLs for "domain admin" group only. Is there any way we can achieve this?

        Thanks,
        Sitaram

        Comment


        • #5
          Re: Security permissions for Domain admins group

          It will not matter. If an account has permissions to modify membership of Domain Admins group, it effectively has permissions to add himself to DA group and make himself a full DA.
          ACL-in only DA group would be similar to locking a door, giving someone the keys and showing him how to use the key. This will definitely not stop him from opening the door.

          Because you can't exclude DAs from adminSDHolder, the only option is to enable inheritance on adminSDHolder container, but I would strongly suggest to avoid it - this is a safety mechanism that is there to protect you if someone messes up the permissions on the sensitive/administrative accounts.

          Bottom line: if someone has to modify DA group, putting his account in Domain Admins group has the same effect as letting him modify the DA group membership.
          In your place I'd go to the management and would explain the implications of something like this.
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Re: Security permissions for Domain admins group

            I have a similar issue. My question is, how do I add a user to the domain admin group? I have two users that I need to be in this group. Everytime I add them, eventually their membership in the group disappears. What do I need to do to keep them in the group? Any help greatly appreciated.

            Thanks,
            Anonpostguy

            Comment


            • #7
              Re: Security permissions for Domain admins group

              Thanks guyt for your valuable suggestion. Yes, you are right that giving permissions to modify group membership and making him member of admin group has no difference.

              Hey anonpostguy,

              In my case, it is not removing users from Domain Admin group. the SD thread process only deals with ACLs and inheritance...not with group membership.

              Let me know if you need any further help.!

              Thanks,
              Sitaram.

              Comment

              Working...
              X