restricting admin access to network

TheMSsForum.com: The Microsoft Software Forum

I need to figure out a way to prevent the network admins from promoting
themselves to enterprise/schema admins. I have already set up the restricted
group, but they can still add themselves to these groups to bypass this.

Questions:
-1) How can I set the permissions so only enterprise admin can edit all
GPOâ??s? I will
then delegate specific policies to specific people.
2) Can I modify the default domain GPO ACL to only have enterprise admin
edit it? I see in the GPMC that I can remove the delegation to domain
admins. Is this how I go about this?
3) MOST IMPORTANTLY: I have tried removing domain admin permissions from my
guys, but then it gets really hard for them to do their work on client PCâ??s
since they have to log in as local admin. What can I do to ease this pain
and remove domain admin for a few more guys? I have added them to the
administrators group in AD but that did not seem to help.
4) Right now the group â??domain adminsâ?? is added to the remote tab of the
system tab. Should I replace this with the â??Remote Desktop Usersâ?? group? I
am also considering customizing this per server, is this safe?

I realize that I am not doing things the right way and that none of use
should log onto every/any PC as a domain admin, but I do not have a more
efficient method yet.

TIA
Top

Re: restricting admin access to network by Steven

Steven
Thu Sep 15 10:09:02 CDT 2005

First off in a root domain you really can not prevent a member of the
administrators group for the "domain" or domain admins group from becoming
whatever they want including enterprise or schema administrators. You really
should only need a couple of administrators [or domain admins] for the
domain. You can however add regular domain users to the local administrators
group of any domain computer that is not a domain controller. You can do it
via a Group Policy startup script using the net localgroup command or use
Restricted Groups via a Group Policy linked at the OU level and then add the
domain computers you want them to be local administrators on into that OU.
You may want to use "member of" option when you do this, create a global
group that contains the users you want, then add it to administrators. Your
Windows 2000 computers will need to be at SP4 for "member of" to work right.
You do not have to use "member of" but the other option will replace and
enforce current membership in the local administrators group on those domain
computers which may or may not be desirable for you. Once you have that make
sure that membership of administrators [for the domain], domain admins,
enterprise admins, and schemas admins is what you want and monitor it
closely and be sure that auditing of account management is enabled in Domain
Controller Security Policy so that it can help you monitor changes in group
membership. -- Steve

http://www.microsoft.com/technet/security/default.mspx --- TechNet
Security home page

"=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
news:D628EF43-42A6-4C6C-A231-C45BEC5D8D69@microsoft.com...
>I need to figure out a way to prevent the network admins from promoting
> themselves to enterprise/schema admins. I have already set up the
> restricted
> group, but they can still add themselves to these groups to bypass this.
>
> Questions:
> -1) How can I set the permissions so only enterprise admin can edit all
> GPO's? I will
> then delegate specific policies to specific people.
> 2) Can I modify the default domain GPO ACL to only have enterprise admin
> edit it? I see in the GPMC that I can remove the delegation to domain
> admins. Is this how I go about this?
> 3) MOST IMPORTANTLY: I have tried removing domain admin permissions from
> my
> guys, but then it gets really hard for them to do their work on client PC's
> since they have to log in as local admin. What can I do to ease this pain
> and remove domain admin for a few more guys? I have added them to the
> administrators group in AD but that did not seem to help.
> 4) Right now the group "domain admins" is added to the remote tab of the
> system tab. Should I replace this with the "Remote Desktop Users" group?
> I
> am also considering customizing this per server, is this safe?
>
> I realize that I am not doing things the right way and that none of use
> should log onto every/any PC as a domain admin, but I do not have a more
> efficient method yet.
>
> TIA


Top

Re: restricting admin access to network by Lanwench

Lanwench
Fri Sep 16 10:30:15 CDT 2005



In news:OdEi2dguFHA.3932@TK2MSFTNGP15.phx.gbl,
Steven L Umbach <n9rou@nospam-comcast.net> typed:
> First off in a root domain you really can not prevent a member of the
> administrators group for the "domain" or domain admins group from
> becoming whatever they want including enterprise or schema
> administrators. You really should only need a couple of
> administrators [or domain admins] for the domain. You can however add
> regular domain users to the local administrators group of any domain
> computer that is not a domain controller. You can do it via a Group
> Policy startup script using the net localgroup command or use
> Restricted Groups via a Group Policy linked at the OU level and then
> add the domain computers you want them to be local administrators on
> into that OU. You may want to use "member of" option when you do
> this, create a global group that contains the users you want, then
> add it to administrators. Your Windows 2000 computers will need to be
> at SP4 for "member of" to work right. You do not have to use "member
> of" but the other option will replace and enforce current membership
> in the local administrators group on those domain computers which may
> or may not be desirable for you. Once you have that make sure that
> membership of administrators [for the domain], domain admins,
> enterprise admins, and schemas admins is what you want and monitor it
> closely and be sure that auditing of account management is enabled in
> Domain Controller Security Policy so that it can help you monitor
> changes in group membership. -- Steve

When you post in here, always include your version, SP level, and mode (if
applicable) of Outlook - you can find this information in Help | About. Also
include the type of mail account(s) you use and any other pertinent details.

....in addition, you can add domain groups to local workstation groups....I
usually create a group in AD called "Local Admins" and add that group to
every workstation's local administrators group - which you can do
centrally - and add the domain users/groups I wish to that group.
>
> http://www.microsoft.com/technet/security/default.mspx --- TechNet
> Security home page
>
> "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
> news:D628EF43-42A6-4C6C-A231-C45BEC5D8D69@microsoft.com...
>> I need to figure out a way to prevent the network admins from
>> promoting themselves to enterprise/schema admins. I have already
>> set up the restricted
>> group, but they can still add themselves to these groups to bypass
>> this. Questions:
>> -1) How can I set the permissions so only enterprise admin can edit
>> all GPO's? I will
>> then delegate specific policies to specific people.
>> 2) Can I modify the default domain GPO ACL to only have enterprise
>> admin edit it? I see in the GPMC that I can remove the delegation
>> to domain admins. Is this how I go about this?
>> 3) MOST IMPORTANTLY: I have tried removing domain admin permissions
>> from my
>> guys, but then it gets really hard for them to do their work on
>> client PC's since they have to log in as local admin. What can I do
>> to ease this pain and remove domain admin for a few more guys? I
>> have added them to the administrators group in AD but that did not
>> seem to help. 4) Right now the group "domain admins" is added to the
>> remote tab of the system tab. Should I replace this with the
>> "Remote Desktop Users" group? I
>> am also considering customizing this per server, is this safe?
>>
>> I realize that I am not doing things the right way and that none of
>> use should log onto every/any PC as a domain admin, but I do not
>> have a more efficient method yet.
>>
>> TIA


Top

Re: restricting admin access to network by pathfinder

pathfinder
Fri Sep 16 16:14:02 CDT 2005

wooooohhhhhooooooooooooooo! you guys are geniuses. works great, thanks.

Any hope on these 2 questions?
> >> -1) How can I set the permissions so only enterprise admin can edit
> >> all GPO's? I will then delegate specific policies to specific people.
> >> 2) Can I modify the default domain GPO ACL to only have enterprise
> >> admin edit it? I see in the GPMC that I can remove the delegation
> >> to domain admins. Is this how I go about this?


"Lanwench [MVP - Exchange]" wrote:

>
>
> In news:OdEi2dguFHA.3932@TK2MSFTNGP15.phx.gbl,
> Steven L Umbach <n9rou@nospam-comcast.net> typed:
> > First off in a root domain you really can not prevent a member of the
> > administrators group for the "domain" or domain admins group from
> > becoming whatever they want including enterprise or schema
> > administrators. You really should only need a couple of
> > administrators [or domain admins] for the domain. You can however add
> > regular domain users to the local administrators group of any domain
> > computer that is not a domain controller. You can do it via a Group
> > Policy startup script using the net localgroup command or use
> > Restricted Groups via a Group Policy linked at the OU level and then
> > add the domain computers you want them to be local administrators on
> > into that OU. You may want to use "member of" option when you do
> > this, create a global group that contains the users you want, then
> > add it to administrators. Your Windows 2000 computers will need to be
> > at SP4 for "member of" to work right. You do not have to use "member
> > of" but the other option will replace and enforce current membership
> > in the local administrators group on those domain computers which may
> > or may not be desirable for you. Once you have that make sure that
> > membership of administrators [for the domain], domain admins,
> > enterprise admins, and schemas admins is what you want and monitor it
> > closely and be sure that auditing of account management is enabled in
> > Domain Controller Security Policy so that it can help you monitor
> > changes in group membership. -- Steve
>
> When you post in here, always include your version, SP level, and mode (if
> applicable) of Outlook - you can find this information in Help | About. Also
> include the type of mail account(s) you use and any other pertinent details.
>
> .....in addition, you can add domain groups to local workstation groups....I
> usually create a group in AD called "Local Admins" and add that group to
> every workstation's local administrators group - which you can do
> centrally - and add the domain users/groups I wish to that group.
> >
> > http://www.microsoft.com/technet/security/default.mspx --- TechNet
> > Security home page
> >
> > "=pathfinder=" <pathfinder@discussions.microsoft.com> wrote in message
> > news:D628EF43-42A6-4C6C-A231-C45BEC5D8D69@microsoft.com...
> >> I need to figure out a way to prevent the network admins from
> >> promoting themselves to enterprise/schema admins. I have already
> >> set up the restricted
> >> group, but they can still add themselves to these groups to bypass
> >> this. Questions:
> >> -1) How can I set the permissions so only enterprise admin can edit
> >> all GPO's? I will
> >> then delegate specific policies to specific people.
> >> 2) Can I modify the default domain GPO ACL to only have enterprise
> >> admin edit it? I see in the GPMC that I can remove the delegation
> >> to domain admins. Is this how I go about this?
> >> 3) MOST IMPORTANTLY: I have tried removing domain admin permissions
> >> from my
> >> guys, but then it gets really hard for them to do their work on
> >> client PC's since they have to log in as local admin. What can I do
> >> to ease this pain and remove domain admin for a few more guys? I
> >> have added them to the administrators group in AD but that did not
> >> seem to help. 4) Right now the group "domain admins" is added to the
> >> remote tab of the system tab. Should I replace this with the
> >> "Remote Desktop Users" group? I
> >> am also considering customizing this per server, is this safe?
> >>
> >> I realize that I am not doing things the right way and that none of
> >> use should log onto every/any PC as a domain admin, but I do not
> >> have a more efficient method yet.
> >>
> >> TIA
>
>
>
Top