domain administrator is multiple domain forest

[Ziek]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Someone told me that I should be careful of domain administrators in my
forest, because even though they cannot make themselves enterprise admins,
they still have the ability to take down the entire forest!

That doesn't make sense to me.. Anybody care to offer input on this?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Theoretically, yes, they do have the ability to take down the entire forest.
Domain Admins have full control over DCs. Remember that DCs contain copies
of the configuration and schema (i.e. forest-wide) partitions. Because of
their access to these partitions they have potential to do nasty things to
your forest, which is why a domain is not considered a security boundary,
but rather a security boundary.

If you have security concerns then you should create separate forests for
the domains that you do not fully trust. If you currently have a single
domain forest, try to restrict the number of Domain Admins as much as
possible by using delegation to give people permissions to do only the tasks
they need to perform and no more.

Tony
www.activedir.org

"Ziek" <ziek@nomail.net> wrote in message
news:ufgSt$wXFHA.796@TK2MSFTNGP10.phx.gbl...
> Someone told me that I should be careful of domain administrators in my
> forest, because even though they cannot make themselves enterprise admins,
> they still have the ability to take down the entire forest!
>
> That doesn't make sense to me.. Anybody care to offer input on this?
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Forgive me for the correction, but I believe that Tony meant to write:

....which is why a domain is not considered a security boundary, but rather
_an administrative_ boundary.

Instead of

> which is why a domain is not considered a security boundary, but rather a
> security boundary.


--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Domains are not a security boundary. A domain admin, or in fact, even a server
op can fairly easily escalate themselves to Enterprise Admin level rights. No I
will not elaborate on that.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Ziek wrote:
> Someone told me that I should be careful of domain administrators in my
> forest, because even though they cannot make themselves enterprise admins,
> they still have the ability to take down the entire forest!
>
> That doesn't make sense to me.. Anybody care to offer input on this?
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks Paul

Actually, I was going to write "replication boundary", but "administrative
boundary" also works.

Tony
www.activedir.org

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:1116832358.743728@ernani.logica.co.uk...
> Forgive me for the correction, but I believe that Tony meant to write:
>
> ...which is why a domain is not considered a security boundary, but
> rather
> _an administrative_ boundary.
>
> Instead of
>
>> which is why a domain is not considered a security boundary, but rather a
>> security boundary.
>
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>