K
Kevin Buchanan
In our IT department, we have several domain admins, but we want to limit
their access to Active Directory.
The scenario:
In a OU called "Test OU", we have set "Enterprise Admins" to have Full
control and "Authenticated Users" to have "Read" only permissions in the
security tab.
The problem:
"Domain Admins" still have full access to edit Group Policy even though they
aren't in or a member of "Enterprise Admins". If we remove "Authenticated
Users" from the security altogether, then the "Domain Admins" cannot access
the "Test OU" group.
Why would the Domain Admins still seemingly have "FULL" access even though
they SHOULD only have the permission of "Authenticated Users" (read only)?
When we remove the "Authenticated users", then they aren't able to access
the group - so it would seem that a domain admin is being checked against
the ACL list, but why would they have "Full" control if the "Authenticated
Users" only have read only access?
TIA,
KB
their access to Active Directory.
The scenario:
In a OU called "Test OU", we have set "Enterprise Admins" to have Full
control and "Authenticated Users" to have "Read" only permissions in the
security tab.
The problem:
"Domain Admins" still have full access to edit Group Policy even though they
aren't in or a member of "Enterprise Admins". If we remove "Authenticated
Users" from the security altogether, then the "Domain Admins" cannot access
the "Test OU" group.
Why would the Domain Admins still seemingly have "FULL" access even though
they SHOULD only have the permission of "Authenticated Users" (read only)?
When we remove the "Authenticated users", then they aren't able to access
the group - so it would seem that a domain admin is being checked against
the ACL list, but why would they have "Full" control if the "Authenticated
Users" only have read only access?
TIA,
KB