Domain Administrator rights within DRA

  • 7022498
  • 21-Dec-2017
  • 14-Jun-2019

Environment

Directory & Resource Administrator 8.x
Directory & Resource Administrator 9.x

Situation

DRA Admins are granted full DRA Administration Rights.

Members of AD Domain Admins have elevated rights within DRA.

How to exclude members of Domain Admins from having DRA Administration Powers.

 

Resolution

Option 1

Consider restricting the membership within the Active Directory Domain Admins group.

Option 2

Manually remove the Administrators from Managed Domains Assistant Admin Group from the active view; using Windows Registry Editor, using the steps below:

  1. Open Windows Registry Editor locally on the OS hosting the Primary DRA Server
  2. Ensure you have a full backup of the Windows Registry path HKEY_LOCAL_MACHINE\SOFTWAREWow6432Node\Mission Critical Software\One point\
  3. Delete the following registry path: HKEY_LOCAL_MACHINE\SOFTWAREWow6432Node\Mission Critical Software\One point\Administration\Data\Modules\Security\ActiveView\{22CF4F63-9B54-4BB3-8FD8-7E5CFA107B69}Deputies\{E72E650F-5f39-451D-A6BF-ED8B983Bff21}
  4. Manually restart the NetIQ Administration Service



Cause

By default the DRA application will grant AD Domain Admins the same level of access within DRA as the group has within Active Directory itself. DRA will not elevate the powers of this group beyond what can already be done within Active Directory.

DRA assigns the AD Domain Admins group membership within the DRA Assistant Admin group named Administrators from Managed Domains. This AA group is assigned the DRA Administration role within the Objects Current User Manages as Windows Administrator DRA Active view.

DRA does not allow for modification of the built-in delegation configuration.

Additional Information

This change will be replaced when upgrading to a new DRA version or Service Pack.

This change will be replicated to all secondary DRA servers during the next MMS sync.

This change will prevent DRA Assistant Admins with membership in Domain Admins from being able to add objects from a trusted domain into groups within the AA's member domain.

This change will prevent DRA Assistant Admins with membership in Domain Admins, in the same AD domain as the DRA server computer account from being able to modify DRA Delegation.


Feedback service temporarily unavailable. For content questions or problems, please contact Support.