|
|
 |
|
|
|||||||
| Petri.co.il is happy to award auglan the title of Most Valuable Member !!! |
| Register |  Calendar |
 Search |
 Today's Posts |
Mark Forums Read |
| Notices |
|
|
 |
Active Directory securitythis thread has 6 replies and has been viewed 1624 times
|
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
#2
24th January 2008, 12:31
|
|||||||||||
|
|||||||||||
Re: Active Directory security
Only people who have permission should be able to un-disable the account. If you dont trust them then they shouldn't have the permissions they have.
Or, You could create an OU and delegate permissions to yourself (and other trusted admins) and then move the user accounts into that OU once you have disabled them. That way only you have permissions over the user objects. Michael
__________________
Michael Armstrong www.m80arm.co.uk MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician ** Remember to give credit where credit is due and leave reputation points  where appropriate **
|
|
#3
24th January 2008, 12:36
|
||||||||
|
||||||||
|
Re: Active Directory security
Micheal,
Thanks for your reply. but the problem is an Manager is leaving. but there friend is the IT admin. i will disable the account so they are unable to login to the account. but can i put something in place so it will (1) show me who does access the account (2) not give access out. it is a very sensative area. and i do not with them to know that i would be aware if anyone access the account. |
|
#4
24th January 2008, 13:27
|
||||||||||
|
||||||||||
|
Re: Active Directory security
1 ) If "The IT Admin" is your superior and he is behaving inappropriately then you need to report it over his head, not take your own action to prevent him (which he will undo).
2 ) Auditing can be set on the Manager's user account - you can audit the "Write all properties" event and every time someone changes something about that account an event will be written to the Event Log. THERE IS NO WAY TO HIDE THIS. 3 ) As someone above said, put the user's account into an OU that the IT Admin doesn't have access to; however if he is a Domain Admin he will simply be able to take ownership and remove the permissions, EVEN IF THERE IS A SPECIFIC DENY. Really - the best bet is to report it and wash your hands of it. Oh - and change your password - that way only you can use your account.
__________________
 Tom For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored. Anything you say will be misquoted and used against you |
|
#5
24th January 2008, 13:29
|
||||||||||
|
||||||||||
|
Re: Active Directory security
You could enable auditing so you would have a log of what was done and by who.
Also share your concerns with another management member who you can trust and email any discussions so there is a record of what you talk about. Rule 1 is protect yourself. Change the password before you disable it so if it is re-enabled they won't be able to logon. Just throws a little kink into the works.
__________________
"There I stood at the bar, wearing a Mae West, no jacket, and beginning to leak blood from my torn boot. None of the golfers took any notice of me - after all, I wasn't a member!" Kenneth Lee - after being shot down during the Battle of Britain on the 18th August 1940. ************************************************** ********************** ** Remember to give credit where credit is due and leave reputation points where appropriate ** ************************************************** ********************** |
|
#6
24th January 2008, 14:01
|
||||||||
|
||||||||
|
Re: Active Directory security
Thanks for the replies, i will do the simple one and change the password then disable the account. i will then know it the account has beed activeated or not.
How do i enable auditing |
|
#7
24th January 2008, 14:13
|
|||||||||||
|
|||||||||||
|
Re: Active Directory security
There is ample information about this on the t'internet.
Here is some to get you going: http://www.windowsecurity.com/articl...-Auditing.html
__________________
Michael Armstrong www.m80arm.co.uk MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician ** Remember to give credit where credit is due and leave reputation points where appropriate **
|
|
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Active Directory to other 3rd-party Directory Services | dakshespatel | Active Directory | 4 | 9th August 2007 11:31 |
| How To Apply GPO to an Security Groups in Active Directory | igor7 | GPO | 7 | 25th July 2007 07:27 |
| Active directory ! | thuanhungtq | Active Directory | 1 | 7th January 2007 11:28 |
| Active Directory | Dragonslayer | Windows Server 2000 / 2003 | 2 | 6th November 2006 19:20 |
| Active Directory | hotwhtmex | Active Directory | 1 | 16th February 2005 01:37 |
(10)
Stonelaughter
Linear Mode
