Solved

Restrict users that can be added to specific groups - Schema Admin, Domain Admin, Enterprise Admin

Posted on 2014-09-03
4
311 Views
Last Modified: 2014-09-03
Hello All,

I would like to ensure that no unauthorised changes can be made to any of the Schema, Domain and Enterprise groups.  Basically in the unlikely event that someone manages to elevate permission - I want the additional "user" that has been added to be removed.

Can anyone advise with details on how to achieve

Best regards

Byron
0
Comment
Question by:BYRONJACKSON
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
Brad Groux earned 500 total points
ID: 40301037
You can create events to monitor these groups, and then setup notifications for when these events occur. This TechNet blog post, while dated is still relevant and takes you through the process of doing so - http://blogs.technet.com/b/kevinholman/archive/2008/04/22/using-event-description-as-criteria-for-a-rule.aspx

Here's a link to a blog post where a user integrated this with Ops Manager - http://thoughtsonopsmgr.blogspot.com/2009/02/steps-for-building-monitor-to-check.html

Remember, you need at least domain admin access to add users to these groups - so the best security is to limit who has domain and enterprise admin access within the environment.
0
 

Author Closing Comment

by:BYRONJACKSON
ID: 40301042
Thank you
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40301050
The Administrator account has unrestricted privileges. So removing any unwanted users can always be done by a domain admin or local admin.

As for privilege elevation this cannot be done if you as a domain/local admin have restricted the users in a group to a specific set of privileges which doesn't include elevating privileges.
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40301053
oops just missed by a few minutes
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question