Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 327
  • Last Modified:

Restrict users that can be added to specific groups - Schema Admin, Domain Admin, Enterprise Admin

Hello All,

I would like to ensure that no unauthorised changes can be made to any of the Schema, Domain and Enterprise groups.  Basically in the unlikely event that someone manages to elevate permission - I want the additional "user" that has been added to be removed.

Can anyone advise with details on how to achieve

Best regards

  • 2
1 Solution
Brad GrouxSenior Manager (Wintel Engineering)Commented:
You can create events to monitor these groups, and then setup notifications for when these events occur. This TechNet blog post, while dated is still relevant and takes you through the process of doing so - http://blogs.technet.com/b/kevinholman/archive/2008/04/22/using-event-description-as-criteria-for-a-rule.aspx

Here's a link to a blog post where a user integrated this with Ops Manager - http://thoughtsonopsmgr.blogspot.com/2009/02/steps-for-building-monitor-to-check.html

Remember, you need at least domain admin access to add users to these groups - so the best security is to limit who has domain and enterprise admin access within the environment.
BYRONJACKSONAuthor Commented:
Thank you
trinitrotolueneDirector - Software EngineeringCommented:
The Administrator account has unrestricted privileges. So removing any unwanted users can always be done by a domain admin or local admin.

As for privilege elevation this cannot be done if you as a domain/local admin have restricted the users in a group to a specific set of privileges which doesn't include elevating privileges.
trinitrotolueneDirector - Software EngineeringCommented:
oops just missed by a few minutes

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now