Announcement

Collapse
No announcement yet.

remove doamin Admins Risk

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • remove doamin Admins Risk

    hi everyone

    what is the risk of removng AD domain admins and AD enterprise admins from
    AD administrators group !!

  • #2
    Re: remove Domain Admins Risk

    Er... probably the loss of ability to administer the domain

    What are you trying to do? You are probably better to remove members from Domain Admins
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: remove doamin Admins Risk

      i found a case like that,
      doamin admins group is removed from AD administrator group
      and every thing work normal

      Comment


      • #4
        Re: remove doamin Admins Risk

        If I remember (from the long distant past of teaching MCSE 2003) the Administrators group at the domain level gives you local administrator permissions on DCs (which do not have local users and groups). So if you remove people from that group but leave them in "domain admins" they will still be able to do domain level tasks, but not to do it on the DCs themselves.
        Unless you have adminpak.msi already deployed to clients, or have given them other permissions on the DCs, you could find yourself locked out....

        Again, what are you trying to achieve, and what is your environment like
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: remove doamin Admins Risk

          thanks ossian

          As I understand you if I remove Domain Admins from Ad Administrator group, and try to install WS the operation will fail on DCs,

          Usually External auditors don't understand MS environment (not all), one of them ask us to remove domain admnis and enterprise admins from AD administrators!!

          Comment


          • #6
            Re: remove doamin Admins Risk

            I would politely inform your auditors that's not the correct way to tightly control security on your domain.

            As Ossian has said the best way toc ontrol this, and this is what has been requested in my organisation, a global bank, via internal and external auditors is to tightly control and monitor the members of Enterprise Admins (I am one of 3) and Domain Admins (we have around 30, most of which are service accounts)

            Removing Domain and Enterprise Admins from the Administrators domain local group will just make your life painful in the future.

            Comment


            • #7
              Re: remove doamin Admins Risk

              Perhaps they meant that your "domain administrator" users should have the groups Enterprise administrator and Domain Administrators removed from their accounts. Not that the Domain admin group should have things removed from it.

              Also, there's a group that will only allow unlocking users from a domain and resetting passwords. Perhaps this is what they want for more admins?

              And, most auditors suggest using a secondary administrator account for each admin. So you'd have Joe Admin and then Joe AdminA or something like that.
              GoogleFu is strong with this one ^

              Comment


              • #8
                Re: remove doamin Admins Risk

                And encourage using those domain admin accounts only via 'Run As', providing the task can be carried out.

                The default administrator account is sometimes required to be renamed and should have a long password stored away in a safe. You then create special accounts for services and grat them minimal permisisons and long passwords (secured away in a safe) You then create your technican's domain accounts but best approach sometimes is to delegate permissions via OUs.

                They use these accounts as 'Run As'.

                Minimising who knows the main administrator password and service accounts reduces how often you change them when staff leave. Their own allocated accounts are easy to control and allows auditing of their activities.

                An administrator account should never be used to logon locally to a computer. If a task requires local logon as an administrator, as some tasks don't allow 'Run As', use MSTSC to access the computer.

                Comment

                Working...
                X