Solved

Lockdown Domain Admins

Posted on 2006-10-20
17
1,144 Views
Last Modified: 2012-05-13
How can I lockdown Domain admins so people can not add themself to the group?
Thanks!
0
Comment
Question by:Klint_turney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +3
17 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 17773827
Unless they are in Administrators or Enterprise Admins, they shouldn't be able to add themselves to that group.

What is the exact situation?
0
 
LVL 16

Expert Comment

by:kshays
ID: 17774016
Agreed!  Could another domain admin be adding these user by chance?  Is there a script somewhere that keeps adding them?
0
 
LVL 26

Expert Comment

by:Pber
ID: 17774175
Making the Domain Admins group a restricted group in GPO would keep the membership of domain admins to what is defined in the GPO.  This will not prevent someone else putting someone in Domain Admins, but after the GPO resfresh it will remove the the added user if they are not defined in the GPO.

This could also be your problem.  Perhaps your Domain Admins group is already a restricted group and you've removed the user from the group, but not the GPO.  Thus the GPO is adding the user back.

0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 2

Author Comment

by:Klint_turney
ID: 17774204
I have a few techs that added themself to the Domain Admins group.  I have another group that was setup before I got here a few years back that is called Dameware admins.  I thought the same thing Pher and Kshays only Domain admins can add someone to the Admins group.  Myself and 2 Systems Admins are the only "people" in the group the rest are service accounts.
0
 
LVL 2

Author Comment

by:Klint_turney
ID: 17774213
No, they are adding themself I am sure of.
0
 
LVL 26

Expert Comment

by:Pber
ID: 17774326
Check the security on the Group and see if another group has been added to the permissions.  Also see if the Managed by has any users defined
0
 
LVL 2

Author Comment

by:Klint_turney
ID: 17775095
No there is nothing in the Managed by and i checked the security group already there is nothing in there other than my services accounts and I am the only one with the passwords to them.  Everyone only has read access and Auth users have read access (in the security tab)
0
 
LVL 26

Expert Comment

by:Pber
ID: 17775168
Can you simulate the problem with a basic test user?  If not, try to add groups one by one that the techs belong to and see if you can simulate (remember to logoff/logon after each change or do a run as).

do you know if they are using ADUC or Dameware to make these changes
0
 
LVL 2

Expert Comment

by:mightofnight
ID: 17777155
Phisical security is just as important.  I know it's a stupid question but it only takes turning your back once on a open concole session for a knowolegeable user to grant themselves permissions.

Setup a test user with desired permissions and see what if they can join said group.
0
 
LVL 2

Accepted Solution

by:
mightofnight earned 500 total points
ID: 17777378
Also dameware is a remote admin program (in case yoru not famiular with it) we looked into it a while ago.  Anyway is the dameware a member of hte domain admins group?  To find this out go to AD -> right click on the domain select find -> search for domain admin -> DBL click to view group look at members of.  Also are the techs that you don't want being domain admins listed under members?

Using remote desktop connection requires local admin rights which domain admin have.  I could be wrong with this but i think to handel this situation as part of a script we add a domain group we created called local Admins to be part of the local machine admins.  Thus our it department is part of the local admins and then have rights to connect.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17782890
hav eyou configured AD delegation?
0
 
LVL 2

Author Comment

by:Klint_turney
ID: 17787714
Dameware isn't a part of the domains admin's group.  Yeah we have a 137 server data center which is secured with a door code and a camera inside. I didn't setup the accounts they were setup before I got here so I dont know what they did in AD delegation.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17792544
Sounds to me like permissions have been delegated allowing things that shouldn't be happening
0
 

Expert Comment

by:RoShinAU
ID: 37950882
Have a look through any 'other' groups that are members of Dom Admins.  Sometimes group nesting can cause you grief.  Don't know if I am allowed to mention software in here, but if you get the trial version of AD Manager Plus, you should be able to iterate all accounts that are able to modify your Dom Admins group.  Save manually going through every user and group individually.
0
 
LVL 16

Expert Comment

by:kshays
ID: 37961561
Just realized that this topic is about 6 years old looks like.  :)
0
 

Expert Comment

by:RoShinAU
ID: 37963063
Yeah, saw that AFTER posting :)  Don't I feel "special".
0
 
LVL 16

Expert Comment

by:kshays
ID: 37963213
:)

I was going to respond also hehehe.

Kevin
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question