"enterprise admins" member of local domain administrators ?!

F

Franz Schenk

The following question is in a Windows 2003 server environnement, but there
is no Windows 2003 server security NG, so I post the question here (is in
W2K probably the same problem):

We have a parent domain "parent.com" and a child domain "child.parent.com".
The CEO of the child domain asked me if members (including administrators)
can access data in the child domain by default. According to Microsoft, a
domain is a security boundary and I told that access to data in
"child.parent.com" for members of "parent.com" must explicitely granted.

No I saw that the "Enterprise Admins" group of the parent domain is
automatically member of every domain administators local group in every
domain in the forest! So if you intend to grant access to data to the local
administrators group, members of the "enterprise admin" group can
automatically access this data.

This is unacceptable for the CEO of the child domain. Is it possible, and
what are the consequences, when we remove the "enterprise admins" group form
the local administrators group in the child domain? (We also run an Exchange
2003 installation which organisation spans the parent and child domain). We
have seen, that on member servers, the "Enterprise Admin" group is not
automatically member of the local administrators group, but there is
sensitive data on the domain controllers.

Thanks in advance for any help or links to MS documents about this subject.
Franz
 
J

Jeff Smalley

Franz,
I just posted a similar question recently and didn't get
any feedback as to how to lock a non-root domain down from
the root Enterprise Admin folks.
I was teaching a group for a state agency and they were
told to take out the Enterprise Admins group from their
domain Administrators group. That would seem that that
would prevent access but the Enterprise Admins have rights
base on Security settings on all the Active Directory
containers in the non-root domain. Running a simple test I
logged in as an Enterprise Admin member and I couldn't add
myself back as an Administrator but I could add myself to
the Account operators. I have search through out
Microsoft's website and can't find any recommendations as
to securing your child domain. The only 2 design thoughts
would be to have an empty root domain design of your
forest or to create a seperate forest entirely. Both don't
really help since you already have your AD rolled out.

If you find anything please post it.

Regards,
Jeff Smalley
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to add child domain user in parent Domain admin group 2
Active Directory env - Enterprise Administrators (EA) 1
How to add child domain user into parent Domain's Domain admins gr 1
Should this work? - Folder permissions 1
Domain Admin vs Local Admin 7
Domain Admins can't manage computers 3
Child/Parent Domain sanity Check 3
Child domain - Global group permissions 1

Top