Clarification needed on domain admins scope in child domains

T

Trust No One®

Hi Folks,

I'm working my way through the "Designing the Active Directory Logical
Structure" portion of the Windows 2003 deployment guide. There is one point
I'm not 100% clear on.

This design guide states that because a domain is not a security boundary,
it cannot be used for service or data isolation. It then goes on to say that
in an organizational domain forest model, a malicious service administrator
in one domain can access any other domain in the forest.

I'm not too clear on the latter statement. Lets say we with an AD forest
with a root domain and 2 child domains - A and B. Is this saying that a
domain admin in child domain (A) can maliciously elevate themselves to
domain admin privilege in child domain (B) ? Can they elevate themselves to
Enterprise Admins ?

Clarification appreciated!
 
J

Joe Richards [MVP]

Yes, that is exactly what it is saying.

If you have a forest with multiple domains, you might as well consider any admin
of any DC in the forest a full Enterprise Admin.

What this means is that you don't give people built-in admin rights, you give
them delegated permissions in the directory. See the AD Delegation whitepaper
and appendix available at the Windows download site.
 
C

Chriss3 [MVP]

Yes this is correct, Forest is the only security boundary and the domain is
an partition for replication propose or administrative boundary. The Domain
Admin of a child domain within the forest can use the SID History attribute
to become an Enterprise Admin.

How ever this is also a question how trusted the domain admins within your
organization are, if you trust the domain admins as high as enterprise
admins you have to use another delegation model, try to have the minimum
members of domain admins, and if you don't can trust the members in the
domain admins group as the role enterprise admins, and need security, deploy
another forest.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top