|
|
Hi there
[Windows 2003 domain]
Have been attempting to deny access to administrators of the domain to
one specific field within AD. Reasons for this are relating to
security; and even low-level admins can change that specific field. It
is within the Address tab for a user - postofficebox.
Have been able to do this for a user by itself - by opening the
object, selecting Security, adding the user group i wish to deny
access to, going into advanced, selecting group within which are the
admins I wish to deny access, (or Everyone whichever will work!),
Editing, selecting Properties tab, Apply to descendent user objects,
and clicking on the tick box for deny write permissions to the
specific field. Post-office-box.
This works for one user but does not work for using a group to do
this: there will be hundreds of users for which i will want this field
unchangeable and do not want to edit each individually.
Applying the same permissions to a security group's descendent user
objects does not have the same effect; I believe the OU permissions
for the user objects are possibly overwriting the security group's
permissions?
If anyone could be of some help with this I would appreciate it
greatly!
Thanks!
|
|
|
[Quoted Text] > Have been attempting to deny access to administrators of the domain to
> one specific field within AD. Reasons for this are relating to
What ever you deny access to, they as domain administrators can go in and
undo.
hth
DDS
"mooneh" <mooneh[ at ]gmail.com> wrote in message
news:c4dd87f5-891d-45f4-8d24-fccfceef118e[ at ]t26g2000prh.googlegroups.com...
> Hi there
> [Windows 2003 domain]
>
> Have been attempting to deny access to administrators of the domain to
> one specific field within AD. Reasons for this are relating to
> security; and even low-level admins can change that specific field. It
> is within the Address tab for a user - postofficebox.
> Have been able to do this for a user by itself - by opening the
> object, selecting Security, adding the user group i wish to deny
> access to, going into advanced, selecting group within which are the
> admins I wish to deny access, (or Everyone whichever will work!),
> Editing, selecting Properties tab, Apply to descendent user objects,
> and clicking on the tick box for deny write permissions to the
> specific field. Post-office-box.
> This works for one user but does not work for using a group to do
> this: there will be hundreds of users for which i will want this field
> unchangeable and do not want to edit each individually.
> Applying the same permissions to a security group's descendent user
> objects does not have the same effect; I believe the OU permissions
> for the user objects are possibly overwriting the security group's
> permissions?
> If anyone could be of some help with this I would appreciate it
> greatly!
>
> Thanks!
|
|
There should be very few members of "Domain Admins". These people must be
trusted, as they can do anything. You may have too many "Domain Admins". A
better solution might be to create another group (or groups) that has only
the permissions needed and move most of your admins to this new group.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
"Danny Sanders" <DSanders[ at ]NOSPAMciber.com> wrote in message
news:eVLhowdaJHA.1336[ at ]TK2MSFTNGP02.phx.gbl...
[Quoted Text] >> Have been attempting to deny access to administrators of the domain to
>> one specific field within AD. Reasons for this are relating to
>
> What ever you deny access to, they as domain administrators can go in and
> undo.
>
>
> hth
> DDS
>
>
> "mooneh" <mooneh[ at ]gmail.com> wrote in message
> news:c4dd87f5-891d-45f4-8d24-fccfceef118e[ at ]t26g2000prh.googlegroups.com...
>> Hi there
>> [Windows 2003 domain]
>>
>> Have been attempting to deny access to administrators of the domain to
>> one specific field within AD. Reasons for this are relating to
>> security; and even low-level admins can change that specific field. It
>> is within the Address tab for a user - postofficebox.
>> Have been able to do this for a user by itself - by opening the
>> object, selecting Security, adding the user group i wish to deny
>> access to, going into advanced, selecting group within which are the
>> admins I wish to deny access, (or Everyone whichever will work!),
>> Editing, selecting Properties tab, Apply to descendent user objects,
>> and clicking on the tick box for deny write permissions to the
>> specific field. Post-office-box.
>> This works for one user but does not work for using a group to do
>> this: there will be hundreds of users for which i will want this field
>> unchangeable and do not want to edit each individually.
>> Applying the same permissions to a security group's descendent user
>> objects does not have the same effect; I believe the OU permissions
>> for the user objects are possibly overwriting the security group's
>> permissions?
>> If anyone could be of some help with this I would appreciate it
>> greatly!
>>
>> Thanks!
>
>
|
|
Hello mooneh,
Don't know what low-level admins are. But domain admins can revert all configuration
you do. Because they are admin, admin, admin, admin, admin..............
You have to think about who is administrator in the domain, normally this
are only a few people.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
[Quoted Text] > Hi there
> [Windows 2003 domain]
> Have been attempting to deny access to administrators of the domain to
> one specific field within AD. Reasons for this are relating to
> security; and even low-level admins can change that specific field. It
> is within the Address tab for a user - postofficebox.
> Have been able to do this for a user by itself - by opening the
> object, selecting Security, adding the user group i wish to deny
> access to, going into advanced, selecting group within which are the
> admins I wish to deny access, (or Everyone whichever will work!),
> Editing, selecting Properties tab, Apply to descendent user objects,
> and clicking on the tick box for deny write permissions to the
> specific field. Post-office-box.
> This works for one user but does not work for using a group to do
> this: there will be hundreds of users for which i will want this field
> unchangeable and do not want to edit each individually.
> Applying the same permissions to a security group's descendent user
> objects does not have the same effect; I believe the OU permissions
> for the user objects are possibly overwriting the security group's
> permissions?
> If anyone could be of some help with this I would appreciate it
> greatly!
> Thanks!
>
|
|
Howdie!
mooneh wrote:
[Quoted Text] > Have been attempting to deny access to administrators of the domain to
> one specific field within AD. Reasons for this are relating to
> security; and even low-level admins can change that specific field. It
> is within the Address tab for a user - postofficebox.
Take away there admin rights. Start using delegation. AD is powerful
when it comes to delegation. There should be only few people who _need_
domain admin privs.
cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
|
|
On Dec 29, 6:45 pm, "Florian Frommherz [MVP]"
<flor...[ at ]frickelsoft.DELETETHIS.net> wrote:
[Quoted Text] > Howdie! > > mooneh wrote: > > Have been attempting to deny access to administrators of the domain to > > one specific field within AD. Reasons for this are relating to > > security; and even low-level admins can change that specific field. It > > is within the Address tab for a user - postofficebox. > > Take away there admin rights. Start using delegation. AD is powerful > when it comes to delegation. There should be only few people who _need_ > domain admin privs. > > cheers, > > Florian > -- > Microsoft MVP - Group Policy > eMail: prename [at] frickelsoft [dot] net. > blog: http://www.frickelsoft.net/blog.> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Thank you all, No one has replied with the knowledge I want but thanks
for input anyway! I will clarify for anyone else!
I am not manager of our domain. I want this done because I work in a
security team who need this for a radius request originating from a
Firewall.
We have an OU without domain administrator access. Domain
administrators cannot change things in our OU - without adding
themselves to our permissions - so certain things can't be changed by
mistake.
I want a security group within our OU that DENYS ACCESS TO ADMINS
from changing Post-Office-Box
Reason for this is :
I do not want DOMAIN ADMINS to have access to post-office-box - we, as
security team, have to be able to say - No one can influence our
Firewalls apart from this list of people, which does not need to
include administrators who would normally be able to change items like
address fields.
Thanks again for helping!
If anyone has any clues I would be so happy :D
Incidentally there is a technet article on scripting for allowing
specific access to users but not security groups and those permissions
are being overwritten. As I stated before; I can sort the permissions
out for the group; I just want a way of making them more important
than any other permissions taking precidence.
Users also cannot be located within our OU.
|
|
Hi
No way...
Do not allow untrusted people to be Domain Admins.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"mooneh" <mooneh[ at ]gmail.com> wrote in message
news:c4dd87f5-891d-45f4-8d24-fccfceef118e[ at ]t26g2000prh.googlegroups.com...
[Quoted Text] > Hi there
> [Windows 2003 domain]
>
> Have been attempting to deny access to administrators of the domain to
> one specific field within AD. Reasons for this are relating to
> security; and even low-level admins can change that specific field. It
> is within the Address tab for a user - postofficebox.
> Have been able to do this for a user by itself - by opening the
> object, selecting Security, adding the user group i wish to deny
> access to, going into advanced, selecting group within which are the
> admins I wish to deny access, (or Everyone whichever will work!),
> Editing, selecting Properties tab, Apply to descendent user objects,
> and clicking on the tick box for deny write permissions to the
> specific field. Post-office-box.
> This works for one user but does not work for using a group to do
> this: there will be hundreds of users for which i will want this field
> unchangeable and do not want to edit each individually.
> Applying the same permissions to a security group's descendent user
> objects does not have the same effect; I believe the OU permissions
> for the user objects are possibly overwriting the security group's
> permissions?
> If anyone could be of some help with this I would appreciate it
> greatly!
>
> Thanks!
|
|
On Dec 29, 11:32 pm, mooneh <moo...[ at ]gmail.com> wrote:
[Quoted Text] > On Dec 29, 6:45 pm, "Florian Frommherz [MVP]" > > > > > > <flor...[ at ]frickelsoft.DELETETHIS.net> wrote: > > Howdie! > > > mooneh wrote: > > > Have been attempting to deny access to administrators of the domain to > > > one specific field within AD. Reasons for this are relating to > > > security; and even low-level admins can change that specific field. It > > > is within the Address tab for a user - postofficebox. > > > Take away there admin rights. Start using delegation. AD is powerful > > when it comes to delegation. There should be only few people who _need_ > > domain admin privs. > > > cheers, > > > Florian > > -- > > Microsoft MVP - Group Policy > > eMail: prename [at] frickelsoft [dot] net. > > blog: http://www.frickelsoft.net/blog.> > Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste> > Thank you all, No one has replied with the knowledge I want but thanks > for input anyway! I will clarify for anyone else! > I am not manager of our domain. I want this done because I work in a > security team who need this for a radius request originating from a > Firewall. > We have an OU without domain administrator access. Domain > administrators cannot change things in our OU - without adding > themselves to our permissions - so certain things can't be changed by > mistake. > I want a security group within our OU that DENYS ACCESS TO ADMINS > from changing Post-Office-Box > Reason for this is : > > I do not want DOMAIN ADMINS to have access to post-office-box - we, as > security team, have to be able to say - No one can influence our > Firewalls apart from this list of people, which does not need to > include administrators who would normally be able to change items like > address fields. > Thanks again for helping! > If anyone has any clues I would be so happy :D > Incidentally there is a technet article on scripting for allowing > specific access to users but not security groups and those permissions > are being overwritten. As I stated before; I can sort the permissions > out for the group; I just want a way of making them more important > than any other permissions taking precidence. > Users also cannot be located within our OU.- Hide quoted text - > > - Show quoted text -
I believe that you have two seperate problems:
1) Changing permissions for a set of objects
2) Making sure the permission stays changed
As others have said, you can't do #2 using what's provided in the box.
If there is a domain admin out there that wants to change the objects
you are interested in, then he will be able to do that. But unlike
others, I feel that this is in certain cases reasonable. There are
other ways to track what domain admins are doing and it is sometimes
perfectly reasonable to state that they should not do something and
then use some other mechanism to track what they do. Many security
policies don't have to be airtight, they just have to be a "reasonable
effort" control.
For #1 it seems like a fairly simple scripting problem. If you can do
something through the AD UI then you can script the same action and by
scripting you can easily apply the same permission to multiple objects
that are contained in a group, OU, or some other collection. I think
you have some misunderstanding related to attributes of a security
group object and user objects. Modifying properties of a security
group object is not supposed to have any affect on the properties of
the user objects which might be a member of the security group. I
could have misunderstood what you were saying, however, so feel free
to ignore if I did.
HTH,
Dave
|
|
|