Hmmm.  OK, I'm inclined to agree, but aren't DA's and EA's governed by the
same set of ACLs and ACEs applied at specific levels of AD as any other
user?

IOW, can't I remove the Allow from DA to Create / Delete User Object?
Right.  AdminSDHolder is going to change it back on its rounds.

And (though joe will come in here any minute and smack me with a large
trout) if I make changes to my AdminSDHolder, (not advised) I can change the
ACE/ACL in AD for the administrative contexts.

In fact, because of issues with DAs that need to do their job, but simply
can't be trusted to do some things without blowing of a toe or a leg, I've
had to limit DA ability to modify/change/link/anything the Default Domain
Policy and Default DC Policy.

Overall - not advised, I agree.  Create a new user/group/role for what you
want these folks to really be able to do.  This would be the right
direction.  Eviscerating the DA is not the right move, but that doesn't mean
that it can't be done.

-rtk



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, February 22, 2005 4:05 PM
To: 'ActiveDir@mail.activedir.org '
Subject: RE: [ActiveDir] Is it possible ? deny domain admins create new us
er permission

Maybe you could configure auditing to see who is creating user accounts or
"convert" all domain admins into normal users ;-)
Preventing what you want is not possible as domain admins in a forest/domain
have the ability to do everything they want
Jorge

  _____  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of "Sanz de León,
Juan Carlos"
Sent: Thursday, July 29, 2004 4:15 AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Is it possible ? deny domain admins create new user
permission


Dear Gurus,

We are currently working on a project where we need to deny domain
administrators the permission to "create new users".(and assign it to
some other group) Is this technically possible ? Has anyone actually
done it before ?

Thanks in advance for your help,

Juan Carlos Sanz

 

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to