"enterprise admins" member of local domain administrators ?!

  • Thread starter Thread starter Franz Schenk
  • Start date Start date
F

Franz Schenk

The following question is in a Windows 2003 server environnement, but there
is no Windows 2003 server security NG, so I post the question here (is in
W2K probably the same problem):

We have a parent domain "parent.com" and a child domain "child.parent.com".
The CEO of the child domain asked me if members (including administrators)
can access data in the child domain by default. According to Microsoft, a
domain is a security boundary and I told that access to data in
"child.parent.com" for members of "parent.com" must explicitely granted.

No I saw that the "Enterprise Admins" group of the parent domain is
automatically member of every domain administators local group in every
domain in the forest! So if you intend to grant access to data to the local
administrators group, members of the "enterprise admin" group can
automatically access this data.

This is unacceptable for the CEO of the child domain. Is it possible, and
what are the consequences, when we remove the "enterprise admins" group form
the local administrators group in the child domain? (We also run an Exchange
2003 installation which organisation spans the parent and child domain). We
have seen, that on member servers, the "Enterprise Admin" group is not
automatically member of the local administrators group, but there is
sensitive data on the domain controllers.

Thanks in advance for any help or links to MS documents about this subject.
Franz
 
Franz,
I just posted a similar question recently and didn't get
any feedback as to how to lock a non-root domain down from
the root Enterprise Admin folks.
I was teaching a group for a state agency and they were
told to take out the Enterprise Admins group from their
domain Administrators group. That would seem that that
would prevent access but the Enterprise Admins have rights
base on Security settings on all the Active Directory
containers in the non-root domain. Running a simple test I
logged in as an Enterprise Admin member and I couldn't add
myself back as an Administrator but I could add myself to
the Account operators. I have search through out
Microsoft's website and can't find any recommendations as
to securing your child domain. The only 2 design thoughts
would be to have an empty root domain design of your
forest or to create a seperate forest entirely. Both don't
really help since you already have your AD rolled out.

If you find anything please post it.

Regards,
Jeff Smalley
 
Back
Top