Klint_turney
asked on
Lockdown Domain Admins
How can I lockdown Domain admins so people can not add themself to the group?
Thanks!
Thanks!
Agreed! Could another domain admin be adding these user by chance? Is there a script somewhere that keeps adding them?
Making the Domain Admins group a restricted group in GPO would keep the membership of domain admins to what is defined in the GPO. This will not prevent someone else putting someone in Domain Admins, but after the GPO resfresh it will remove the the added user if they are not defined in the GPO.
This could also be your problem. Perhaps your Domain Admins group is already a restricted group and you've removed the user from the group, but not the GPO. Thus the GPO is adding the user back.
This could also be your problem. Perhaps your Domain Admins group is already a restricted group and you've removed the user from the group, but not the GPO. Thus the GPO is adding the user back.
ASKER
I have a few techs that added themself to the Domain Admins group. I have another group that was setup before I got here a few years back that is called Dameware admins. I thought the same thing Pher and Kshays only Domain admins can add someone to the Admins group. Myself and 2 Systems Admins are the only "people" in the group the rest are service accounts.
ASKER
No, they are adding themself I am sure of.
Check the security on the Group and see if another group has been added to the permissions. Also see if the Managed by has any users defined
ASKER
No there is nothing in the Managed by and i checked the security group already there is nothing in there other than my services accounts and I am the only one with the passwords to them. Everyone only has read access and Auth users have read access (in the security tab)
Can you simulate the problem with a basic test user? If not, try to add groups one by one that the techs belong to and see if you can simulate (remember to logoff/logon after each change or do a run as).
do you know if they are using ADUC or Dameware to make these changes
do you know if they are using ADUC or Dameware to make these changes
Phisical security is just as important. I know it's a stupid question but it only takes turning your back once on a open concole session for a knowolegeable user to grant themselves permissions.
Setup a test user with desired permissions and see what if they can join said group.
Setup a test user with desired permissions and see what if they can join said group.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hav eyou configured AD delegation?
ASKER
Dameware isn't a part of the domains admin's group. Yeah we have a 137 server data center which is secured with a door code and a camera inside. I didn't setup the accounts they were setup before I got here so I dont know what they did in AD delegation.
Sounds to me like permissions have been delegated allowing things that shouldn't be happening
Have a look through any 'other' groups that are members of Dom Admins. Sometimes group nesting can cause you grief. Don't know if I am allowed to mention software in here, but if you get the trial version of AD Manager Plus, you should be able to iterate all accounts that are able to modify your Dom Admins group. Save manually going through every user and group individually.
Just realized that this topic is about 6 years old looks like. :)
Yeah, saw that AFTER posting :) Don't I feel "special".
:)
I was going to respond also hehehe.
Kevin
I was going to respond also hehehe.
Kevin
What is the exact situation?