?
Solved

Hiding Parent Domain from Child Domain in ADUC

Posted on 2014-12-14
5
Medium Priority
?
191 Views
Last Modified: 2014-12-18
In some environments they use parent domain just for security purposes. If I am not wrong, if they do not want domain Admins to be Enterprise Admins the creation of parent domain will do the job, it may also apply when they do not want Domain Admins to be Schema Admins....

Well, the point is how to make ADUC show just the Child Domain , not the parent Domain ?

Thanks
0
Comment
Question by:jskfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 1336 total points
ID: 40499288
In some environments they use parent domain just for security purposes.
This is recommended practice for security purposes and reducing your attack surface particularly from internal threats.

What you're asking to do is "security through obscurity". It's a bad practice because it leads to a false sense of security. I don't believe is possible to do, at least not effectively without breaking something else. Group Policy Management Console for example loads in the root domain and you must navigate down the tree to the child domain. You could also accidentally block domain controllers from being able to see resources in other domains. You will always be able to side step hiding it in ADUC as well via some other method.

My advice would be to secure your root domain tightly and your child domains even tighter :) Impliment real-time monitoring (SCOM, Splunk, etc) as well as historic long term log storage (Splunk, etc). Delegate everything, I can really not see any reason to make anyone other than those very few who need to be domain administrators, domain admins. AD has a very granular delegation system in place.
0
 

Author Comment

by:jskfan
ID: 40499457
How do you hide the parent domain in ADUC...  I worked in environment like that....when I open ADUC there is no sense that there 's a parent domain.
0
 
LVL 17

Accepted Solution

by:
Learnctx earned 1336 total points
ID: 40505987
I've never heard of anyone being able to do this with Active Directory Users and Computers. By default the root of ADUC is the FQDN of the domain and I do not believe it is possible to alter it. Maybe you are thinking about Active Directory Administrative Center which is a more helpdesk orientated tool but I am sure even that has the ability to view the parent node.
0
 
LVL 14

Assisted Solution

by:Ben Hart
Ben Hart earned 664 total points
ID: 40508074
Yeah I don't think there's any options for this.  Best you could do is use Delegation to restrict them from doing anything in the parent domain level.
0
 

Author Closing Comment

by:jskfan
ID: 40508226
OK Thank you Guys!
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses
Course of the Month11 days, 2 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question