Is there a way to restrict Domain Admins from modifying OCS servers? RRS feed

  • Question

  • Large environment with dedicated AD, application, messaging teams, etc.  Each team has a member or members in domain admins group.  Implementing OCS and would like a way to prevent "Domain Admins" from making changes in OCS administration console.  Appreciate your help.  Thanks!
    Monday, April 13, 2009 3:18 PM


All replies

  • Take a look at this article for details on rights delegation:

    You may need to reverse-engineer some of the inhernet security related to Domain Admins to find a way to restrict rights to certain objects.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Marked as answer by jagard29 Wednesday, April 15, 2009 6:41 PM
    Monday, April 13, 2009 3:26 PM
  • Thanks Jeff.  Removing the Domain Admins from the local Administrators group also helped.  So with RTCUniversalReadOnly and no local access they can read but not modify the server attributes.  Cool!
    Wednesday, April 15, 2009 6:40 PM
  • Be careful with removing Domain Admins from the server's local Administrator groups as that is good way to lock one's self out of a server ;)  Those Domain Admin members will still have access to domain-wide OCS configuration settings and other peices that are not computer specific.

    That said, battling a large amount of Domain Admin accounts is quite typical in the real world and can be hard to limit.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, April 15, 2009 7:18 PM
  • Agreed, I've advised on the risks and made it clear they will need to make sure their group is in Local Admins first.

    Yeah, you said it.  It would be nice to clean up the environment and ensure the various admins only have the rights they need but that's probably never going to happen. :-)

    Thanks for your help!
    Thursday, April 16, 2009 3:33 PM