ScoobyNet.com - Subaru Enthusiast Forum

Notices
Computer & Technology Related Post here for help and discussion of computing and related technology. Internet, TVs, phones, consoles, computers, tablets and any other gadgets.

Blocking AD Enterprise Admin

Thread Tools
 
Search this Thread
 
Old 19 September 2005, 12:15 PM
  #1  
swaussie
Scooby Regular
Thread Starter
 
swaussie's Avatar
 
Join Date: Jun 2002
Location: Switzerland
Posts: 643
Likes: 0
Received 0 Likes on 0 Posts
Default Blocking AD Enterprise Admin
Situation: A Windows 2000 Active Directory tree with multiple sub domains.

Problem: I need to secure a sub domain so that only Domain admins and users within the domain are able to access resources and view info within the domain. Is it possible to lock out Enterprise admins from viewing or accessing any data within the sub domain?

The ultimate goal is to have an NT4 style domain within the forest with its own security boundary.
swaussie is offline  
Reply Like
Old 20 September 2005, 11:25 AM
  #2  
David_Wallis
Scooby Regular
 
David_Wallis's Avatar
 
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like on 1 Post
Default
fookin ell I wouldnt recommend it, but you could probably do it with ADSI Edit.

David
David_Wallis is offline  
Reply Like
Old 20 September 2005, 12:00 PM
  #3  
GaryScoobNCBR
Scooby Regular
 
GaryScoobNCBR's Avatar
 
Join Date: Apr 2003
Posts: 337
Likes: 0
Received 0 Likes on 0 Posts
Default
I think you should look at the enterprise admins and ask if they need to have that power, not all admins need enterprise admin rights.
GaryScoobNCBR is offline  
Reply Like
Old 20 September 2005, 06:25 PM
  #4  
Kieran_Burns
Scooby Regular
Support Scoobynet!
iTrader: (1)
 
Kieran_Burns's Avatar
 
Join Date: Jul 2004
Location: There on the stair
Posts: 10,208
Likes: 0
Received 0 Likes on 0 Posts
Default
Personally I'd look at a separate Domain, not a child one... this way you can set up trusts for the accounts you wish to, and block those you don't....

You could even set up a one way trust, it simple to implement with Win2K3 - you really don't want to start mucking around with restricting Domain (Enterprise) Admin access... you'll run into all sorts of problems down the line
Kieran_Burns is offline  
Reply Like
Old 22 September 2005, 09:43 AM
  #5  
J1nxy
Scooby Regular
 
J1nxy's Avatar
 
Join Date: Sep 2002
Location: Northampton
Posts: 399
Likes: 0
Received 0 Likes on 0 Posts
Default
The Domain in a W2k3 implementations is NOT a secuirty boundry. The Enterprise admin is the God account for the whole Forest. The only way to achieve what you want is to have multiple forests and then setup trusts from the domain in 1 forest to the required domains in the other.

Steve
J1nxy is offline  
Reply Like
Related Topics
Thread
Thread Starter
Forum
Replies
Last Post
Phase 2 (v5) heads on phase 1.5 block. Anyone done this before???
bluebullet29
General Technical
9
05 October 2015 02:17 PM
Subaru full forged 2.1 blobeye 468 bhp
Ganz1983
Subaru
5
02 October 2015 09:22 AM
Hmm Apple encouraging fraud.
Wurzel
Computer & Technology Related
10
28 September 2015 12:28 PM
EJ22T block and JDM AVCs Heads
wms-racing
Wanted
0
28 September 2015 10:05 AM
Back to Subforum
Computer & Technology Related
View Next Unread
Exchange\Outlook disable drag and drop




Advanced Search
Quick Reply: Blocking AD Enterprise Admin


Reply Closed Thread Share
Forum Jump

All times are GMT +1. The time now is 09:26 AM.