Administrator, Administrators & Domain Admins

[Guest]

Can someone give me a brief explanation of the difference between the above
three items, relating to the following problem.

I want to secure access to all user directories on the server, where I have
granted access to each user directory to both the domain admins group and the
individual user.

To set this up I took ownership of all directories and individual files as
Administrator, which may have been an error looking at the problem I am left
with.

So now I'd like some help with the best way to make sure only one or two
'super users' can access all files, as all of the supprt team have either the
administrator password, or are part of the domain admins group.

Any help on redistributing the power would be appreciated!

 

[Joe Richards [MVP]]

Ok first a quick def of the things in the subject

Administrator - built in ID available on all Windows NT based machines. This ID
has a fixed well known RID and is handled specially for things like lockouts.

Administrators - built in group on all Windows NT based machines and has a well
known fixed SID that is identical on all machines. This group is similar to root
access on UNIX type systems. Anyone in this group can override any Windows
specific security even if it is configured to disallow their access. The
administrator ID is in this group by default which is how the administrator ID
has the access rights it has.

Domain Admins - built in group on all Windows Domains, like the administrator
ID, it also has a well known fixed RID This group is nested into the
administrators group and on NT4 domains, that is how the group has power on
domain controllers. In AD Domains, the Domain Admins group has powers directly
in AD due to delegation to that group's SID. The group is also nested in the
administrators groups of all member machines of the domain by default but there
is nothing enforcing this membership and it can be successfully removed.

The only way you can completely secure data on a file server from anyone who has
administrator access is through third party encryption. Period. Anything else is
simply a barrier to keep good admins from thinking about doing bad and can take
the form of whatever you think it will take.

Note that no one should really have the administrator ID password, it should be
set to some obscenely large password and put in an envelope and locked up to
never be used again. In my last ops position I locked up the builtin admin IDs
and never touched them for 5 years. Any admin ID that multiple users know the
password to is dangerous as it is a generic admin ID and there is no mechanism
to track who did what when using generic IDs as it could be anyone with that
ID's password.

joe

 

[Jorge_de_Almeida_Pinto]

Can someone give me a brief explanation of the difference
between the above
three items, relating to the following problem.

I want to secure access to all user directories on the server,
where I have
granted access to each user directory to both the domain
admins group and the
individual user.

To set this up I took ownership of all directories and
individual files as
Administrator, which may have been an error looking at the
problem I am left
with.

So now I'd like some help with the best way to make sure only
one or two
'super users' can access all files, as all of the supprt team
have either the
administrator password, or are part of the domain admins
group.

Any help on redistributing the power would be appreciated!

administrator -> user account member of administrators, domain admins
and enterprise admins

administrators -> built-in local group, has full god mode permissions
on all DCs of the domain

domain admins -> global group member of adminstrators group for DCs
and member of administrators group on each member server

enterprise admins -> universal security group, member of
administrators group in each domani in the forest

These groups/user are very powerfull and there is NO WAY (besides
using encryption) you can exclude these groups/user from doing
anything. Even if you revoke permission they still have the right to
take ownership. It is better to delegate permissions to custom made
security groups

On home directories and/or profile directories I usually assign the
following permissions

ownership: administrators

perms:
administrators - full
system -full
<some delegated group> - modify or full when the need exists to change
permissions or ownership
<username> - modify

You can reassign ownership to administrators the same way as you took
it

My advise:
* Change the administrator password and only give it to one other
trusted individual!
* Cleanup memberships from the groups administrators, domain admins
and enterprise admins
* Delegate permissions to custom groups
* Create administrative accounts (separate accounts to do admin
work)(and I don’t mean to assign membership to the powerfull groups)
and place each admin account into the custom made group for the
permission the support person needs
Cheers,
Jorge