Announcement

Collapse
No announcement yet.

How to restrict Domain Admins

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to restrict Domain Admins

    Hello to All,
    I'm new to this community
    We have 1 DC in our Head Office and 3 ADC's in different branch offices. DC is having Win 2003 Ent edition 32-bit O/S and ADC's having Win 2003 STD edition 32-bit. All are connected through VPN. We have created diff OU for each branch and users are created there.
    We have System Administrators in all the locations with Domain Admin rights. Anyone can login in any of the ADC server's and can do the changes, the same will be replicated in DC.
    I would like to restrict their permissions on OU wise in servers. For example branch1 Administrator should have rights only for his OU. He should create users only in that OU, he should not do any changes in other OU's.

    I have no idea how to implement this, Pls let me know how to do this!!!

    Thanks in Advance
    Mani
    Thanks,
    Mani

  • #2
    Re: How to restrict Domain Admins

    1) Remove them from Domain Admins -- it does what it says!
    2) Create a group of administrators for each OU
    3) Use the delegation of control wizard (in ADUC) to grant the group permissions to manage users and whatever else you need. Do this for each OU
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: How to restrict Domain Admins

      I beleive we cannot create administrator in OU as it is buitin user/ group
      Thanks,
      Mani

      Comment


      • #4
        Re: How to restrict Domain Admins

        Sorry, you misunderstood me
        Create security groups called "OU1_Admins", "OU2_Admins" (or whatever names you want) and add the relevant users to each.
        Then run the Delegate Control Wizard in OU1 to grant the rights you want to "OU1_Admins" and similar for each other OU

        That way you can change admins by adding or removing them from the group rather than re-running the wizard
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: How to restrict Domain Admins

          This article may help in what Ossian is describing.

          -Jason
          MCSA/MCSE 2K3,MCITP:ESA,MCTS x 4,VCP x 2

          Comment


          • #6
            Re: How to restrict Domain Admins

            I have created a user under domain and add that user ("testuser") into the following groups, Administrators, Domain Admins, Domain Users, Enterprise Admins, Remote Desktop Users.
            But still im unable to access my DC through mstsc using this new user. Im receiving the following message while login thru mstsc " To logon on to this remote computer,you must be granted the allow logon through terminal services right. By default members of the remote desktop users have this right. if you are not a member of the remote desktop users group or another group does not have this right, or if the remote user group does not have this right, you must be granted this right manually"
            Kindly help me to solve the issue...

            Thanks,
            Mani

            Comment


            • #7
              Re: How to restrict Domain Admins

              Hi,

              Go to domain controller security policy -> security settings -> local policies -> user rights assignments -> allow log on through terminal services -> properties -> add required user/group to allow terminal service

              I hope it helps!!!
              Thanks,
              Mani

              Comment


              • #8
                Re: How to restrict Domain Admins

                Domain Admins should be given that right as a matter of course (if they dont have it already)
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment

                Working...
                X