Reducing DomainAdmin rights

  • Thread starter Thread starter Kwyjibo.
  • Start date Start date
K

Kwyjibo.

Hi,
Is there anyway to reduce the access that the Domain Admininstrator group
has to perform certain operations on the network?
I have a group of Administrators that I would like to remove the right to
clear even logs and also remove the right to add themselves to the
Enterprise Administators group.
The reason for this is that previously they were all logging in on the
Administrator account then making changes that were impossible to audit
(due to everything appearing as being done by Administrator)
I have now scrambled the Administrator account password forcing them to
login as themselves and activated security auditing so I can see what they
are doing. I don't want them to make changes (to accounts etc) then be able
to remove the evidence from the security event log.

Ideally I only want the Enterprise Administrator group to be able to clear
the logs, which would mean I need to be able to restrict their ability to
add themselves to the Ent. Admin group as well.

Any assistance would be appreciated.
 
The problem is, anything you do to restrict them, they can undo because they
are domain admins.

Enterprise Admins only really come into play when you have a multi-domain
environment.

Oli
 
Oli Restorick said:
The problem is, anything you do to restrict them, they can undo
because they are domain admins.
Click to expand...

Thanks, Oli. That's what I suspected.
So I guess I will have to create a new group that only has the rights I
want them to have then assign them to that group instead of the Domain
Administrator group?
(It's a pain working with people you can't trust.....)
Enterprise Admins only really come into play when you have a
multi-domain environment.
Click to expand...

Or if trying to add a DHCP server to a single domain.....
 
Thanks, Oli. That's what I suspected.
So I guess I will have to create a new group that only has the rights I
want them to have then assign them to that group instead of the Domain
Administrator group?
Click to expand...
That would be the way to do it, although it's much easier said than done.
(It's a pain working with people you can't trust.....)
Click to expand...
The way to deal with untrustworthy admins is to make them ex-employees.
Or if trying to add a DHCP server to a single domain.....
Click to expand...
Yep, that too (and a couple of other things).

Regards

Oli
 
The way to deal with untrustworthy admins is to make them ex-employees.
Click to expand...

I'd love to, but trying to sack someone from a government job in Australia
is almost impossible.

Thanks for your help.
 
Yeah, I can imagine.

Delegation of Control Wizard it is, then!

Cheers

Oli
 
Back
Top