Domain Administrator rights within DRA

  • 7022498
  • 21-Dec-2017
  • 11-Jan-2018

Environment

Directory & Resource Administrator 8.x
Directory & Resource Administrator 9.0

Situation

DRA Admins are granted full DRA Administration Rights. Members of AD Domain Admins have elevated rights within DRA. How to exclude members of Domain Admins from having DRA Administration Powers.

 

Resolution

Microsoft recommends limiting the membership of the Domain Admins group. Indirectly limiting the membership of the group can also limit the rights of DRA Admins within DRA itself.

Cause

With DRA the same elevated security to Domain Admins as what is granted within AD. If a DRA Assistant Admin has been granted Domain Admin rights within DRA, the AA will have an equivalent level of access. This is done by including the Domain Admins group within the DRA AA group "Administrators from managed domains". This DRA AA group is assigned the DRA Administration role within DRA. This assignment is considered to be a built-in rule and can't be modified within the Delegation Console.

Additional Information

DRA does not allow the product administrator to modify built in ActiveViews or Assistant Admin groups. It is possible to edit the <All Objects> via a Windows Registry change. By deleting the key listed below, you will remove the AA group <DRA Admins> from the AV <All Objects>. The registry change is not a fully tested method for editing DRA AVs. It is recommended to modify the Domain Admin group membership, rather than edit the AV via a registry change. This change is NOT fully supported and should only be done at the recommendation of Tech Support. Below is the key to remove:
 
HKEY_LOCAL_MACHINE\SOFTWAREWow6432Node\Mission Critical Software\One point\Administration\Data\Modules\Security\ActiveView\{22CF4F63-9B54-4BB3-8FD8-7E5CFA107B69}Deputies\{E72E650F-5f39-451D-A6BF-ED8B983Bff21}
 
You should back up the key BEFORE deleting. This change will be made on the Primary DRA Server and replicate to all other servers.