Solved

Restrict users that can be added to specific groups - Schema Admin, Domain Admin, Enterprise Admin

Posted on 2014-09-03
4
303 Views
Last Modified: 2014-09-03
Hello All,

I would like to ensure that no unauthorised changes can be made to any of the Schema, Domain and Enterprise groups.  Basically in the unlikely event that someone manages to elevate permission - I want the additional "user" that has been added to be removed.

Can anyone advise with details on how to achieve

Best regards

Byron
0
Comment
Question by:BYRONJACKSON
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
Brad Groux earned 500 total points
ID: 40301037
You can create events to monitor these groups, and then setup notifications for when these events occur. This TechNet blog post, while dated is still relevant and takes you through the process of doing so - http://blogs.technet.com/b/kevinholman/archive/2008/04/22/using-event-description-as-criteria-for-a-rule.aspx

Here's a link to a blog post where a user integrated this with Ops Manager - http://thoughtsonopsmgr.blogspot.com/2009/02/steps-for-building-monitor-to-check.html

Remember, you need at least domain admin access to add users to these groups - so the best security is to limit who has domain and enterprise admin access within the environment.
0
 

Author Closing Comment

by:BYRONJACKSON
ID: 40301042
Thank you
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40301050
The Administrator account has unrestricted privileges. So removing any unwanted users can always be done by a domain admin or local admin.

As for privilege elevation this cannot be done if you as a domain/local admin have restricted the users in a group to a specific set of privileges which doesn't include elevating privileges.
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40301053
oops just missed by a few minutes
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now