?
Solved

Restrict users that can be added to specific groups - Schema Admin, Domain Admin, Enterprise Admin

Posted on 2014-09-03
4
Medium Priority
?
321 Views
Last Modified: 2014-09-03
Hello All,

I would like to ensure that no unauthorised changes can be made to any of the Schema, Domain and Enterprise groups.  Basically in the unlikely event that someone manages to elevate permission - I want the additional "user" that has been added to be removed.

Can anyone advise with details on how to achieve

Best regards

Byron
0
Comment
Question by:BYRONJACKSON
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
Brad Groux earned 2000 total points
ID: 40301037
You can create events to monitor these groups, and then setup notifications for when these events occur. This TechNet blog post, while dated is still relevant and takes you through the process of doing so - http://blogs.technet.com/b/kevinholman/archive/2008/04/22/using-event-description-as-criteria-for-a-rule.aspx

Here's a link to a blog post where a user integrated this with Ops Manager - http://thoughtsonopsmgr.blogspot.com/2009/02/steps-for-building-monitor-to-check.html

Remember, you need at least domain admin access to add users to these groups - so the best security is to limit who has domain and enterprise admin access within the environment.
0
 

Author Closing Comment

by:BYRONJACKSON
ID: 40301042
Thank you
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40301050
The Administrator account has unrestricted privileges. So removing any unwanted users can always be done by a domain admin or local admin.

As for privilege elevation this cannot be done if you as a domain/local admin have restricted the users in a group to a specific set of privileges which doesn't include elevating privileges.
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40301053
oops just missed by a few minutes
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question