Blocking AD Enterprise Admin
#1
Scooby Regular
Thread Starter
Join Date: Jun 2002
Location: Switzerland
Posts: 643
Likes: 0
Received 0 Likes
on
0 Posts
Blocking AD Enterprise Admin
Situation: A Windows 2000 Active Directory tree with multiple sub domains.
Problem: I need to secure a sub domain so that only Domain admins and users within the domain are able to access resources and view info within the domain. Is it possible to lock out Enterprise admins from viewing or accessing any data within the sub domain?
The ultimate goal is to have an NT4 style domain within the forest with its own security boundary.
Problem: I need to secure a sub domain so that only Domain admins and users within the domain are able to access resources and view info within the domain. Is it possible to lock out Enterprise admins from viewing or accessing any data within the sub domain?
The ultimate goal is to have an NT4 style domain within the forest with its own security boundary.
#4
Scooby Regular
iTrader: (1)
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes
on
0 Posts
Personally I'd look at a separate Domain, not a child one... this way you can set up trusts for the accounts you wish to, and block those you don't....
You could even set up a one way trust, it simple to implement with Win2K3 - you really don't want to start mucking around with restricting Domain (Enterprise) Admin access... you'll run into all sorts of problems down the line
You could even set up a one way trust, it simple to implement with Win2K3 - you really don't want to start mucking around with restricting Domain (Enterprise) Admin access... you'll run into all sorts of problems down the line
#5
Scooby Regular
Join Date: Sep 2002
Location: Northampton
Posts: 399
Likes: 0
Received 0 Likes
on
0 Posts
The Domain in a W2k3 implementations is NOT a secuirty boundry. The Enterprise admin is the God account for the whole Forest. The only way to achieve what you want is to have multiple forests and then setup trusts from the domain in 1 forest to the required domains in the other.
Steve
Steve
Thread
Thread Starter
Forum
Replies
Last Post
bluebullet29
General Technical
9
05 October 2015 02:17 PM