domain administrator is multiple domain forest

[Ziek]

Someone told me that I should be careful of domain administrators in my
forest, because even though they cannot make themselves enterprise admins,
they still have the ability to take down the entire forest!

That doesn't make sense to me.. Anybody care to offer input on this?

 

[Tony Murray]

Theoretically, yes, they do have the ability to take down the entire forest.
Domain Admins have full control over DCs. Remember that DCs contain copies
of the configuration and schema (i.e. forest-wide) partitions. Because of
their access to these partitions they have potential to do nasty things to
your forest, which is why a domain is not considered a security boundary,
but rather a security boundary.

If you have security concerns then you should create separate forests for
the domains that you do not fully trust. If you currently have a single
domain forest, try to restrict the number of Domain Admins as much as
possible by using delegation to give people permissions to do only the tasks
they need to perform and no more.

Tony
www.activedir.org

 

[ptwilliams]

Forgive me for the correction, but I believe that Tony meant to write:

....which is why a domain is not considered a security boundary, but rather
_an administrative_ boundary.

Instead of

 

[Joe Richards [MVP]]

Domains are not a security boundary. A domain admin, or in fact, even a server
op can fairly easily escalate themselves to Enterprise Admin level rights. No I
will not elaborate on that.

joe

 

[Tony Murray]

Thanks Paul

Actually, I was going to write "replication boundary", but "administrative
boundary" also works.

Tony
www.activedir.org