Restricting "Enterprise Admins" sec group

[Jim Singh]

Hi -
does anyone knows of possible implications of restricting/blocking the
"Enterprise Admins" security group permissions from child level domain
besides the DHCP pool auth, child domain creation, ADC etc?

does blocking "EA" group from child domain has any impact on replication ?
and are there any other serious implications ? i.e. attribute/class
dependencies etc?
thanks!

 

[Jeremy @ Gilbarco]

Wouldn't it be better to move users in Enterprise Admins
into the Domain Admin's group instead? If you do not have
an empty root this would be my choice instead of blocking
it's permissions.

 

[Jim Singh]

Jeremy, thanks for your reply!

here is my infrastructure:
One root empty domain - and nine child Line of Businesses domains, all
windows 2003 server ( interim mode).
As microsoft reinstated after w2k release that forest is infact the
ultimate security boundary and not domain, some of the child domains want to
actually have their own forest to protect data. I have stated that data
protection can be achieved by blocking the EA permissions to domain object,
local admin group, and admin account (as i have tested it in the lab). The
only thing iam concerned is if there is any replication issues that would
occur or any other attribute level corruption.

thx.
-Jim
(e-mail address removed)

 

[Joe Richards [MVP]]

I will make it very simple.

It is impossible with the current design of active directory to effectively
block Enterprise Admins from any part of the forest. There are too many ways
they can get around anything you set up. Do not think about doing it because it
would simply give you a sense of false security.

If you do not trust your Enterprise Admins, fire them or set up your own forest.
That is the only realistic secure options.

joe

 

[Joe Richards [MVP]]

If they are trying to protect data on file servers, AD structure and management
doesn't matter. They need to be encrypting the data with some third party
encryption software. If they are trying to protect parts of AD, it can not be
done. An Enterprise Admin can get past any attempts at blocking access in the
forest.

joe

 

[Jim Singh]

Joe,
if iam understanding you correctly then your are saying that since "GPO
admins" and "schema adminis" also have permissions in the down level child
domains, then it probably take a lot to totally isolate the child domain! i
have done testing where i had blocked the EA from child domain, and i didnt
see any replication errors so far.
i guess its true that the only work around in this situation is have a
seperate forest or maybe a seperate tree.
thx. for you response.

 

[Joe Richards [MVP]]

It isn't about replication. It is about the fact that you can not make an
enterprise admin unable to gain access to anything in the forest they want
access to. Enterprise Admin is god in the forest they live in. If you have an
enterprise admin that has a clue they can undo anything you do to get to
anything in the forest. Be it in a child domain or in a separate tree. The only
true security boundary in a Forest is the forest itself.

If you need true security, you need separate forests or if it is simply data
then you need a good third party encryption package.

If you need to look like you have security, you can knock yourself out removing
EA from ACLs but any security advisor that comes in that has a clue will point
that out as not secure right off.

joe