Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Restrict users that can be added to specific groups - Schema Admin, Domain Admin, Enterprise Admin

Posted on 2014-09-03
4
Medium Priority
?
322 Views
Last Modified: 2014-09-03
Hello All,

I would like to ensure that no unauthorised changes can be made to any of the Schema, Domain and Enterprise groups.  Basically in the unlikely event that someone manages to elevate permission - I want the additional "user" that has been added to be removed.

Can anyone advise with details on how to achieve

Best regards

Byron
0
Comment
Question by:BYRONJACKSON
  • 2
4 Comments
 
LVL 14

Accepted Solution

by:
Brad Groux earned 2000 total points
ID: 40301037
You can create events to monitor these groups, and then setup notifications for when these events occur. This TechNet blog post, while dated is still relevant and takes you through the process of doing so - http://blogs.technet.com/b/kevinholman/archive/2008/04/22/using-event-description-as-criteria-for-a-rule.aspx

Here's a link to a blog post where a user integrated this with Ops Manager - http://thoughtsonopsmgr.blogspot.com/2009/02/steps-for-building-monitor-to-check.html

Remember, you need at least domain admin access to add users to these groups - so the best security is to limit who has domain and enterprise admin access within the environment.
0
 

Author Closing Comment

by:BYRONJACKSON
ID: 40301042
Thank you
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40301050
The Administrator account has unrestricted privileges. So removing any unwanted users can always be done by a domain admin or local admin.

As for privilege elevation this cannot be done if you as a domain/local admin have restricted the users in a group to a specific set of privileges which doesn't include elevating privileges.
0
 
LVL 12

Expert Comment

by:trinitrotoluene
ID: 40301053
oops just missed by a few minutes
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Know what services you can and cannot, should and should not combine on your server.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question