Announcement

Collapse
No announcement yet.

Deny Access to Active Directory for Admins

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Deny Access to Active Directory for Admins

    hi,

    i want to deny the access of active directory to some admins so that they can't access the Active Directory Console to write/modify any object. however they can read the objects.

    this is required so that they can install/unistall the patches on all ADCs.

    Please advice on urgent basis...!

    Thanks

  • #2
    Re: Deny Access to Active Directory for Admins

    Originally posted by gaurav_abbot View Post
    Please advice on urgent basis...!
    Please bear in mind that the contributors to this site are all volunteers giving up their spare time. If you need this urgently, then I suggest you contact Microsoft or a consultant.

    Originally posted by gaurav_abbot View Post
    this is required so that they can install/unistall the patches on all ADCs
    Do you think that one or more of these admins would go into ADUC and make changes? If someone isn't trustworthy, they shouldn't be an administrator in the first place.

    You *might* be able to do this by delegating permissions, however I'm not sure if that gives you the option of denying write access.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: Deny Access to Active Directory for Admins

      I don't understand why you would wish to remove administrator permissions from administrators.

      Like gfi said, if you don't trust them, don't put them in a designated position of trust.

      In my last role, I was horrified to find that every single user in the domain had DA permissions. One of the things I did was start ratifying permissions. I worked out what thye needed to do their jobs, created approrpiate permission groups, then pulled them right out of the DA roles. This included the director of the company.

      Anyone who needed administrative access, got a specifically defined admin account (think TehCamel_A or AdminTC or !TehCamel something like that - yes, ! works)

      if you need someone to log on to a domain controller, they should be a DA. So you should trust them.
      Messing with permissions in the way you describe is heading for trouble, not to mention being a nigfhtmare to manage
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Deny Access to Active Directory for Admins

        Remove them from Domain Admins, add them to a group with suitable delegated permssions on AD and give them ADUC/RSAT installed locally to do their tasks.
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Deny Access to Active Directory for Admins

          Are there no other problems that happen when you do this? As I would think there would be alot of things that run with domain admin priv (services, tasks, software) that might stop working.

          Could you not create a user group, assign them to that groupd, then apply the denine on that? That way they will still have the rest of the domain admin powers, but anyone in the sub group will not have AD change premissions.

          Wofen
          Good to be back....

          Comment


          • #6
            Re: Deny Access to Active Directory for Admins

            Here's a concept.

            Use WSUS. Configure a GPO to make the domain controllers check for updats on a weekly basis.
            Have your not-quite-admins review, test, and deploy the patches via WSUS.
            Have the DCs apply, and reboot, on a staggered cycle, at say 3:30am on a Sunday.


            Easy. Patches get applied, your support staff don't even need to have access to the domain controller at all, resulting in no need to adjust AD privileges
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: Deny Access to Active Directory for Admins

              Agree with Tehcamel with regards to WSUS, although if you wanted a 'read-only' admin, simply create a user account and delegate control over the domain or OU they need access to. This way you can set pretty granular permissions on what they can do.

              Comment


              • #8
                Re: Deny Access to Active Directory for Admins

                Originally posted by gaurav_abbot View Post
                hi,

                i want to deny the access of active directory to some admins so that they can't access the Active Directory Console to write/modify any object. however they can read the objects.

                this is required so that they can install/unistall the patches on all ADCs.

                Please advice on urgent basis...!

                Thanks
                Dear Friend,

                Tel your Administrator to install admin pack (adminpak.msi) in their client system (XP). Remove all the administrative privilages in the AD.

                By doing this they are able to veiw the AD Snap(Read Only Permission).

                Comment


                • #9
                  Re: Deny Access to Active Directory for Admins

                  this will not provide the level of authority the original poster requires.
                  Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                  Comment

                  Working...
                  X