Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Microsoft Networking Services > Active Directory
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

Active Directory security

Active Directory security

this thread has 6 replies and has been viewed 2064 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 24th January 2008, 12:14
markie99 markie99 is offline
Casual
Casual
 
 Join Date: Dec 2007
  6 month star 12 month star
 Posts: 3
 Reputation: markie99 is on a distinguished road (10)
Default Active Directory security

Good morning all

if i disable an accout in AD, how do i prevent someone going in and enabling it again so documents can be retrived and then turned off

Thanks
  #2  
Old 24th January 2008, 12:31
m80arm's Avatar
m80arm m80arm is offline
Moderator
 
 Join Date: Apr 2005
  6 month star 12 month star
 Location: Newcastle, UK
 Posts: 2,640
  Send a message via MSN to m80arm Send a message via Skype™ to m80arm
 Reputation: m80arm is just really nicem80arm is just really nicem80arm is just really nicem80arm is just really nice (359)
Default Re: Active Directory security

Only people who have permission should be able to un-disable the account. If you dont trust them then they shouldn't have the permissions they have.

Or, You could create an OU and delegate permissions to yourself (and other trusted admins) and then move the user accounts into that OU once you have disabled them. That way only you have permissions over the user objects.

Michael
__________________
Michael Armstrong
www.m80arm.co.uk
MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

** Remember to give credit where credit is due and leave reputation points To grant some reputation points to the user that helped you, just click on the little Yin-Yang icon on the right of the user's answer and follow the prompt. where appropriate **
  #3  
Old 24th January 2008, 12:36
markie99 markie99 is offline
Casual
Casual
 
 Join Date: Dec 2007
  6 month star 12 month star
 Posts: 3
 Reputation: markie99 is on a distinguished road (10)
Default Re: Active Directory security

Micheal,
Thanks for your reply. but the problem is an Manager is leaving. but there friend is the IT admin. i will disable the account so they are unable to login to the account. but can i put something in place so it will (1) show me who does access the account (2) not give access out.

it is a very sensative area. and i do not with them to know that i would be aware if anyone access the account.
  #4  
Old 24th January 2008, 13:27
Stonelaughter's Avatar
MVM Stonelaughter Stonelaughter is offline
Senior Member
MVM
 
 Join Date: Sep 2004
  6 month star 12 month star
 Location: Nottingham UK
 Posts: 2,159
 Reputation: Stonelaughter is just really niceStonelaughter is just really niceStonelaughter is just really niceStonelaughter is just really niceStonelaughter is just really nice (405)
Default Re: Active Directory security

1 ) If "The IT Admin" is your superior and he is behaving inappropriately then you need to report it over his head, not take your own action to prevent him (which he will undo).

2 ) Auditing can be set on the Manager's user account - you can audit the "Write all properties" event and every time someone changes something about that account an event will be written to the Event Log. THERE IS NO WAY TO HIDE THIS.

3 ) As someone above said, put the user's account into an OU that the IT Admin doesn't have access to; however if he is a Domain Admin he will simply be able to take ownership and remove the permissions, EVEN IF THERE IS A SPECIFIC DENY.

Really - the best bet is to report it and wash your hands of it. Oh - and change your password - that way only you can use your account.
__________________


Tom
For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

Anything you say will be misquoted and used against you
  #5  
Old 24th January 2008, 13:29
biggles77's Avatar
biggles77 biggles77 is offline
Administrator
 
 Join Date: Dec 2003
  6 month star 12 month star
 Location: Nowhere that I like.
 Posts: 11,417
 Reputation: biggles77 is a splendid one to beholdbiggles77 is a splendid one to beholdbiggles77 is a splendid one to beholdbiggles77 is a splendid one to beholdbiggles77 is a splendid one to beholdbiggles77 is a splendid one to beholdbiggles77 is a splendid one to beholdbiggles77 is a splendid one to behold (953)
Default Re: Active Directory security

You could enable auditing so you would have a log of what was done and by who.

Also share your concerns with another management member who you can trust and email any discussions so there is a record of what you talk about. Rule 1 is protect yourself. Change the password before you disable it so if it is re-enabled they won't be able to logon. Just throws a little kink into the works.
__________________
"There I stood at the bar, wearing a Mae West, no jacket, and beginning to leak blood from my torn boot. None of the golfers took any notice of me - after all, I wasn't a member!" Kenneth Lee - after being shot down during the Battle of Britain on the 18th August 1940.

************************************************** **********************
** Remember to give credit where credit is due and leave reputation points where appropriate **
************************************************** **********************
  #6  
Old 24th January 2008, 14:01
markie99 markie99 is offline
Casual
Casual
 
 Join Date: Dec 2007
  6 month star 12 month star
 Posts: 3
 Reputation: markie99 is on a distinguished road (10)
Default Re: Active Directory security

Thanks for the replies, i will do the simple one and change the password then disable the account. i will then know it the account has beed activeated or not.

How do i enable auditing
  #7  
Old 24th January 2008, 14:13
m80arm's Avatar
m80arm m80arm is offline
Moderator
 
 Join Date: Apr 2005
  6 month star 12 month star
 Location: Newcastle, UK
 Posts: 2,640
  Send a message via MSN to m80arm Send a message via Skype™ to m80arm
 Reputation: m80arm is just really nicem80arm is just really nicem80arm is just really nicem80arm is just really nice (359)
Default Re: Active Directory security

There is ample information about this on the t'internet.

Here is some to get you going:

http://www.windowsecurity.com/articl...-Auditing.html
__________________
Michael Armstrong
www.m80arm.co.uk
MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

** Remember to give credit where credit is due and leave reputation points To grant some reputation points to the user that helped you, just click on the little Yin-Yang icon on the right of the user's answer and follow the prompt. where appropriate **
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Active Directory to other 3rd-party Directory Services dakshespatel Active Directory 4 9th August 2007 11:31
How To Apply GPO to an Security Groups in Active Directory igor7 GPO 7 25th July 2007 07:27
Active directory ! thuanhungtq Active Directory 1 7th January 2007 11:28
Active Directory Dragonslayer Windows Server 2000 / 2003 / 2003 R2 2 6th November 2006 19:20
Active Directory hotwhtmex Active Directory 1 16th February 2005 01:37


All times are GMT +3. The time now is 18:43.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri