Restrict access to DC for domain admins

I do not want domain administrators of a child domain to have direct access to the child DC.  The reason is because they could then browse the parent domain AD structure from the child DC.  Currently my firewall only allows AD traffice to/from child and parent DC's. Sooo, if they use ADUC from any other system in the child domain they can't browse the parent domain.  The child domain admins need full control of child AD to create/edit policies, create/edit OU structure, create/edit users accounts and group memberships.

Ok, I have denied remote control via RDP in TS Configuration.  I have set local security policy on the child DC to "Deny terminal services logon" & "Deny logon locally".  BUT, they are domain admins... Couldn't someone clever get around this security to gain local access to the DC?  If so how can I prevent this?
LVL 1
damien1234Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

debuggerauCommented:
best practices are described here:
http://technet.microsoft.com/en-us/library/cc773318(WS.10).aspx

but basically, you'll need to plan a roadmap of who can access what.
Map it all out in a hierarchy and implement in AD..

This example hopefully helps.
http://technet.microsoft.com/en-us/library/cc773113(WS.10).aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike KlineCommented:
"...Couldn't someone clever get around this security to gain local access to the DC?  If so how can I prevent this?..."
You hit the nail on the head someone clever could get around it.  There is nothing you can do other than not giving them DA rights.  You did say someone clever and someone that knows what they are doing.
In fact if they were malicious they could take over your forest.  The forest is the security boundary, two great entries on that.
http://msmvps.com/blogs/ulfbsimonweidner/archive/2007/08/25/security-boundary-forest-vs-domain.aspx
http://blog.joeware.net/2008/07/17/1406/
Thanks
Mike
0
damien1234Author Commented:
Ok, how about this one:

I created 3 Domain Local groups in the child domain which are added to the local administrators group on each of 3 servers (1 group per server).  
I created an additional Domain Local group called "L2 Admins" and joined each of the 3 previous groups to this one.
A global group in the parent domain was then added to L2 Admins.  This global group is no longer a domain administrator for the child domain.  Instead I created a new OU in the child domain where I have delegated significant control to the L2 Admins.  They should be able to do everything they need within the confines of that OU AND they have been given no access to anything above that OU in the hierarchacal structure.

Did I get it right this time?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

debuggerauCommented:
Yay, and you even did it the Microsoft preferred way, not know for being intuitive..

Now you may want to test those users functionality with RSOP on those more dubious tasks..


0
snusgubbenCommented:
Why don't you create a group and put your DA's in this. Delegate the group the permissions they need to do their job and remove them from the DA group?

As long as they are domain admins in the child they could easily put them self in the schema/enterprise admin group. You could also deny the AD snap-ins with group policy to users that don't need them. AD is read for authenticated users so you can hide things, but you can make it a little harder to find.


SG
0
debuggerauCommented:
not sure about that SG, he wrote: "This global group is no longer a domain administrator for the child domain"
0
damien1234Author Commented:
The main idea is to delegate and NEVER assign domain admin status to anyone....
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.