C
Chris
We run a very secure NT 4.0 Domain due to confidentiality
of many Partner legal documents on our file servers. At no
time is anyone allowed to access our file server or groups
from outside of our domain. We are asked by the Internal
Security Group to upgrade our domain to Windows 2000 and
join the Firm's already established Active Directory
Forest. Our Partnership domain would most likely be added
as an addional Child Domain as apposed to being added as
an Organizational Unit, since Microsoft considers a
Domainj to be a 'security boundary'... but we have some
concerns. The big security flaw is that Enterprise
Administrators (EA's) at the Parent level have the ability
to add groups to local domain groups, access or bypass
controls over our domain's security at any time. My
questions are... 1. what level's of control does a EA have
over a Child Domain? 2. If there are 15 Domain EA's that
administer the entire Organization Structure, how do I
monitor all of them when they have higher up controls?
Actually, We don't want to trust them so 3. what can we do
without having to set up an entirely different Namespace?
4. If there are any restrictions that can set on our
domain level, or any auditing is there much administrative
overhead involved? In general, Enterprise Admins and
Schema Admins have special permissions within an AD
forest, by default allowing them access to all resources.
There are "span of control" implications here. Anyone out
there have any experience in an already established Parent
and Child Domain forest structure and has applied security
controls for this? Thanks.
of many Partner legal documents on our file servers. At no
time is anyone allowed to access our file server or groups
from outside of our domain. We are asked by the Internal
Security Group to upgrade our domain to Windows 2000 and
join the Firm's already established Active Directory
Forest. Our Partnership domain would most likely be added
as an addional Child Domain as apposed to being added as
an Organizational Unit, since Microsoft considers a
Domainj to be a 'security boundary'... but we have some
concerns. The big security flaw is that Enterprise
Administrators (EA's) at the Parent level have the ability
to add groups to local domain groups, access or bypass
controls over our domain's security at any time. My
questions are... 1. what level's of control does a EA have
over a Child Domain? 2. If there are 15 Domain EA's that
administer the entire Organization Structure, how do I
monitor all of them when they have higher up controls?
Actually, We don't want to trust them so 3. what can we do
without having to set up an entirely different Namespace?
4. If there are any restrictions that can set on our
domain level, or any auditing is there much administrative
overhead involved? In general, Enterprise Admins and
Schema Admins have special permissions within an AD
forest, by default allowing them access to all resources.
There are "span of control" implications here. Anyone out
there have any experience in an already established Parent
and Child Domain forest structure and has applied security
controls for this? Thanks.