When a member server is joined to one domain in a forest, should members of other-dom\domain admins be Administrators
Andrew Bartlett
abartlet at samba.org
Tue May 1 17:02:26 MDT 2012
On Tue, 2012-05-01 at 14:25 -0700, Richard Sharpe wrote:
> Hi,
>
> When a member server, say SRV1 joins DOM1.someforest.local, should a
> member of OTHERDOM.DOM1.someforest.local also have membership of
> BUILTIN\Administrators on the member server?
As far as I understand it, no. Forest admins might of course, but
domain admins are per-domain. (Of course, the real security boundary is
the forest, and any domain admin could subvert their own server and take
over the forest, but just don't tell the auditors...).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list