Blocking "Enterprise Admins" permissions

J

Jim Singh

Hi -
does anyone knows of possible implications of restricting/blocking the
"Enterprise Admins" security group permissions from child level domain
besides the DHCP pool auth, child domain creation, ADC etc?

does blocking "EA" group from child domain has any impact on replication ?
and are there any other serious implications ? i.e. attribute/class
dependencies etc?
thanks!
 
C

Chriss3 [MVP]

You can not* restrict Enterprise Admins Group and should not do so, Its a
protected group. How ever if you not trust the members of the enterprise
admin group remove them and try to find another delegation method. You
should only select member that you trust to be Enterprise Admins.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
J

Jim Singh

Chris -
Iam enterprise admin; however some child level domains need to get complete
isolation and want no access from outside (accept repliation ports, DNS etc
(389,25, 53, etc). As forest is the ultimate security boundary... iam trying
to test a solution where i can prevent another forest in the org. besides
having another forest or a seperate tree the alternative is to block EA
permissions from child domain object, local admi accout and local admins
group.
I have tested this in the lab and found that this does infact restricts ea
to go dig in child domain, what iam not sure if there are other dependencies
that depend on EA group i.e. replicatioin , schema attributes etc.
another issue iam concerned is that "GPOadmins" and "shema admins" might be
able to compromise the security and get into the child level domain. ( i
havent tested this yet).
-Jim
 
D

Danny Sanders

I have tested this in the lab and found that this does infact restricts ea
to go dig in child domain, what iam not sure if there are other
Click to expand...
dependencies


The problem is that a user in the EA group can go in and reverse the changes
you have made. That is why a separate forest is the "security boundary" in
Win 2k.


hth
DDS W 2k MVP MCSE
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Restricting "Enterprise Admins" sec group 6
Enterprise Admins Rights 2
inheretance is broken - sdprop adminsdholder, builtin container an 0
Can't add Child domain admin to enterprise admin group. 2
Active Directory Domain Security 6
Enterprise Admin is gone! 6
Active Directory env - Enterprise Administrators (EA) 1
Domain Security in Active Directory 1

Top