How to block off Enterprise Admin in a different tree but same forest?

[Mary]

I have seen a published paper from lucent regarding blocking off Enterprise
Admin from accessing your domain within a forest. But somehow, the Ent Admin
keeps populates back in the Administrators security page after a ADC
connector has been established.

Any idea?

thx
Mary

 

[Herb Martin]

You aren't really supposed to do that -- if you cannot trust the
Enterprise Admins you need new Enterprise Admins.

 

[Glenn L]

This can really break the ability to accomplish forest wide maintenance.
Consider a seperate forest if you want autonomy.

 

[Mary]

But this paper shows it's possible
http://www.ins.com/downloads/whitepapers/ins_white_paper_w2kad_design_restrict_ent_admins_0300.pdf

Mary

 

[Glenn L]

I suspect MS did not plan for and did not test child domain admins removing
enterprise admins from access to a domain.
This paper may not include all the reprocussions of this action.

 

[ptwilliams]

I've read about blocking EAs from child domains (in a book by authors whom I
completely trust) and they didn't mention any repercussions other than the
obvious -that the central IT people CANNOT administer this domain.

I can see this coming in handy; after all, multiple domains is bad enough -
multiple forests is worse. I would also take this route were I asked to do
so...

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
I suspect MS did not plan for and did not test child domain admins removing
enterprise admins from access to a domain.
This paper may not include all the reprocussions of this action.

 

[Ryan Hanisco]

This does, however have repercussions if you are working with IAS or you
have Parent CAs as many operations involving these require Enterprise Admin
and Domain Admin rights. (Like if you have EAP enabled on devices.)

Remember, you shouldn't be using Enterprise Admin accounts for anything
other than operations that require them.

Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services, Inc

 

[Chris Malone]

I would agree with Glenn L as stated previously - "Consider a separate
forest if you want autonomy". The paper mentioned was also not written
by someone at Microsoft; considering would I would term a "disruption
of base AD design", I would think about this hard before pressing
forward with that option. If you proceed with too many of these
endeavors that wildly stray from the intended implementation, you will
end up with a nightmare that you dont need. To quote a friend at
Microsoft - "The great thing about Windows 2000/2003 is its awesome
flexibility, and a bad thing about Windows 2000/2003 is its awesome
flexibility".

Chris Malone