Also, setup monitoring on GPOs so events are logged when GPO changes occur and configure ad event monitoring system to receive alerts when changes occur (Audit Directory Service Changes = Success). The counterpoint to this is that if Domain Admins are acting nefariously in your environment, you have bigger problems. Yes, Doman Admins can modify Group Policy Objects and therefore could easily revert these settings. This can affect membership in the highly privileged Administrators AD group. This is not necessarily a bad thing and for the purpose of this article is convenient - Domain Admins will no longer have their default administrative rights on all servers and workstations!ĭO NOT modify Restricted Groups on a GPO linked to the domain root or on Domain Controllers. When you set Restricted Groups in the manner outlined above, it will REMOVE any accounts/groups that previously had membership (not including the local administrator account).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |