Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Restrict access to DC for domain admins

Posted on 2009-07-13
7
Medium Priority
?
634 Views
Last Modified: 2012-05-07
I do not want domain administrators of a child domain to have direct access to the child DC.  The reason is because they could then browse the parent domain AD structure from the child DC.  Currently my firewall only allows AD traffice to/from child and parent DC's. Sooo, if they use ADUC from any other system in the child domain they can't browse the parent domain.  The child domain admins need full control of child AD to create/edit policies, create/edit OU structure, create/edit users accounts and group memberships.

Ok, I have denied remote control via RDP in TS Configuration.  I have set local security policy on the child DC to "Deny terminal services logon" & "Deny logon locally".  BUT, they are domain admins... Couldn't someone clever get around this security to gain local access to the DC?  If so how can I prevent this?
0
Comment
Question by:damien1234
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 23

Accepted Solution

by:
debuggerau earned 2000 total points
ID: 24845750
best practices are described here:
http://technet.microsoft.com/en-us/library/cc773318(WS.10).aspx

but basically, you'll need to plan a roadmap of who can access what.
Map it all out in a hierarchy and implement in AD..

This example hopefully helps.
http://technet.microsoft.com/en-us/library/cc773113(WS.10).aspx
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24845941
"...Couldn't someone clever get around this security to gain local access to the DC?  If so how can I prevent this?..."
You hit the nail on the head someone clever could get around it.  There is nothing you can do other than not giving them DA rights.  You did say someone clever and someone that knows what they are doing.
In fact if they were malicious they could take over your forest.  The forest is the security boundary, two great entries on that.
http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/08/25/security-boundary-forest-vs-domain.aspx
http://blog.joeware.net/2008/07/17/1406/
Thanks
Mike
0
 
LVL 1

Author Comment

by:damien1234
ID: 24846120
Ok, how about this one:

I created 3 Domain Local groups in the child domain which are added to the local administrators group on each of 3 servers (1 group per server).  
I created an additional Domain Local group called "L2 Admins" and joined each of the 3 previous groups to this one.
A global group in the parent domain was then added to L2 Admins.  This global group is no longer a domain administrator for the child domain.  Instead I created a new OU in the child domain where I have delegated significant control to the L2 Admins.  They should be able to do everything they need within the confines of that OU AND they have been given no access to anything above that OU in the hierarchacal structure.

Did I get it right this time?
0
Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

 
LVL 23

Expert Comment

by:debuggerau
ID: 24846297
Yay, and you even did it the Microsoft preferred way, not know for being intuitive..

Now you may want to test those users functionality with RSOP on those more dubious tasks..


0
 
LVL 21

Expert Comment

by:snusgubben
ID: 24846966
Why don't you create a group and put your DA's in this. Delegate the group the permissions they need to do their job and remove them from the DA group?

As long as they are domain admins in the child they could easily put them self in the schema/enterprise admin group. You could also deny the AD snap-ins with group policy to users that don't need them. AD is read for authenticated users so you can hide things, but you can make it a little harder to find.


SG
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24855785
not sure about that SG, he wrote: "This global group is no longer a domain administrator for the child domain"
0
 
LVL 1

Author Closing Comment

by:damien1234
ID: 31603090
The main idea is to delegate and NEVER assign domain admin status to anyone....
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question