Resolution
goal
Is it possible to prevent Domain Admins from being associated with the Built-in Domain Admins ActiveView?
fact
Directory and Resource Administrator 6.x
fix
When you install Directory and Resource Administrator, several pre-defined ActiveViews are created. The Built-in Domain Objects ActiveView includes all objects in a domain where a user is an administrator. This ActiveView associates the Built-in Domain Admins Assistant Admin with the Built-in Admin role. The Built-in Domain Admins Assistant Admin includes all members of the Administrators and Domain Admins groups. This ensures that Windows NT and Windows 2000 administrators can launch the MMC interface with the same permissions they have using native tools. However, in some situations this may not be desired. For example, if the Domain Admins have been denied access to several OUs in the native tools they will be able to connect to DRA and view those OUs because the DRA service account may have access to those. In such cases, the following steps can be performed on the DRA server to un-associate the Domain Admins groups from the Built-in Domain Admins ActiveView and Assistant Admin group in DRA:
note
Is it possible to prevent Domain Admins from being associated with the Built-in Domain Admins ActiveView?
fact
Directory and Resource Administrator 6.x
fix
When you install Directory and Resource Administrator, several pre-defined ActiveViews are created. The Built-in Domain Objects ActiveView includes all objects in a domain where a user is an administrator. This ActiveView associates the Built-in Domain Admins Assistant Admin with the Built-in Admin role. The Built-in Domain Admins Assistant Admin includes all members of the Administrators and Domain Admins groups. This ensures that Windows NT and Windows 2000 administrators can launch the MMC interface with the same permissions they have using native tools. However, in some situations this may not be desired. For example, if the Domain Admins have been denied access to several OUs in the native tools they will be able to connect to DRA and view those OUs because the DRA service account may have access to those. In such cases, the following steps can be performed on the DRA server to un-associate the Domain Admins groups from the Built-in Domain Admins ActiveView and Assistant Admin group in DRA:
- Go to Start.
- Select Run.
- Type in Regedt32.
- Click OK.
- Highlight the Built-in Domain Admins key under HKEY_LOCAL_MACHINE \ Software \ Mission Critical Software \ OnePoint \ Administration \ Data \ Modules \ Security \ Deputy.
- Click on the Edit menu.
- Select Delete.
- Click OK.
- Restart the MCS Administration Server service for the change to take effect.
note
For more information on how to perform the above steps in version 7.x, please refer to the following Knowledge Base article:
NETIQKB37843: How do I prevent Domain Admins and Adminitrators from managing objects in DRA without explicitly delegating powers to them?
https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB37843
Additional Information
Formerly known as NETIQKB6298