Re: AD in DMZ

From: "Deus, Attonbitus" <Thor@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Thu, 10 Jul 2003 11:28:43 -0700

At 11:13 AM 7/10/2003, you wrote:

http://www.ISAserver.org
Hate to disagree with you, but domain admins DO NOT have total access across the forest, only the Enterprise Admins do, the members of the Enterprise Admins are responsible for creating and managing the forest which includes any child domain that is created from the ROOT Domain, then assign Domain Admins to existing Child domains

using the Domain Admins group in each respective Child Domain, in fact when nested domains are created the type of trust is known as a transitive trust relationship, rights are recognized between domains but MUST BE GRANTED First, so the only way the admin of Domain B would have rights to the ROOT domain is if the Enterprise Admin granted it, this goes for all users in each domain in the forest. Sorry ...


Let me reword it...

If I am a domain admin in one domain in the forest, you cannot keep me from becoming a domain admin in another domain in the same forest if I want to. Yes, one must know how to do this by taking advantage of schema updates, but it can most certainly be done. It is the nature of the inherent trusts built into AD, and it is exploitable. This is a documented "feature" of active directory.

From an organizational standpoint, you are correct. But the security boundary for AD is the forest, not the domain. The domain is an organizational boundary.

I should have been more clear in the way I said it...

Thanks!

Re: AD in DMZ

Other related posts: