Active Directory has introduced many new levels of
complexity to server and security management. For example, if you
would like to grant a remote site administrator the rights to install
software or services on a domain controller, that person would have
to be a domain administrator. Granting that person domain
administrator rights introduces the possibility of that user creating
new accounts with administrative rights. Obviously, this is not an
ideal situation.
The following steps show how to grant a user the same level of rights
as an administrator of a member server or a workstation on a domain
controller, while preventing that user from having rights to Active
Directory.
WARNING
Please note that this hack does not eliminate all possible security
risks, and the users who are granted these rights need to be highly
trusted
-
Log onto a domain controller with full domain administrator rights.
Make sure your Active Directory domain is in native mode.
-
Inside of Active Directory Users and Computers, create a global
security group called DCAdmins. Add all users/groups that will need
administrative access to the domain controllers to this group.
-
Create another global security group called DenyDCAdmins.
-
Add the DCAdmins group to the DenyDCAdmins group.
-
Inside of Active Directory Users and Computers, right-click on the
domain name and choose Properties. Click on the Security tab (if the
Security tab is not available, go to the View menu and choose
Advanced).
Figure 1. Denying Full Control permission for the DenyDCAdmins global group
Now, all users or groups that are members of the DCAdmins group have
full administrative access to all domain controllers but do not have
any access to Active Directory.
TIP
These users won't even be able to browse Active
Directory to apply permissions on shares or files. It is generally a
best practice for these users to have two accounts: one for
administering the domain controllers and another for day-to-day use.
Overall, this is a great approach to limit security for remote
administrators and operations teams that need to be able to make
changes on domain controllers. I highly recommend trying this
approach before blanketing your Active Directory environment with
unnecessary domain administrators.
—Tim Mintner
It wouldn't effectively slow down anyone but those with the same level of understanding of AD Security and that is hoping they aren't running a program that has more understanding.
No security is offered with this hack. Anyone you do this for should be someone you would trust with Enterprise Admin rights because they could quite easily get them. The whole statement of "Please note that this hack does not eliminate all possible security risks, and the users who are granted these rights need to be highly trusted" makes no sense. If you trusted someone you would just give them the admin rights in the first place. There is NO WAY to effectively lock down a DC so someone can manage it other than DAs at the present time. Longhorn server in 2007 will make available a new option called Read-Only DC that will allow making someone else be admin of the local box without any access to AD but only on RO-DCs.
Joe Richards
www.joeware.net
Author - O'Reilly Active Directory Third Edition