domain administrator is multiple domain forest



Someone told me that I should be careful of domain administrators in my
forest, because even though they cannot make themselves enterprise admins,
they still have the ability to take down the entire forest!

That doesn't make sense to me.. Anybody care to offer input on this?



Tony Murray

Theoretically, yes, they do have the ability to take down the entire forest.
Domain Admins have full control over DCs. Remember that DCs contain copies
of the configuration and schema (i.e. forest-wide) partitions. Because of
their access to these partitions they have potential to do nasty things to
your forest, which is why a domain is not considered a security boundary,
but rather a security boundary.

If you have security concerns then you should create separate forests for
the domains that you do not fully trust. If you currently have a single
domain forest, try to restrict the number of Domain Admins as much as
possible by using delegation to give people permissions to do only the tasks
they need to perform and no more.



Forgive me for the correction, but I believe that Tony meant to write:

....which is why a domain is not considered a security boundary, but rather
_an administrative_ boundary.

Instead of

Joe Richards [MVP]

Domains are not a security boundary. A domain admin, or in fact, even a server
op can fairly easily escalate themselves to Enterprise Admin level rights. No I
will not elaborate on that.



Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question