locked
Disable Domain Admin's privilege to terminate terminal sessions! RRS feed

  • Question

  • Hello All,

    In my domain there are two domain admins.  How can I block the privilege of one domain admin to terminate the remote session of the 'other domain admin' on same server?

    I have a situation that the other admin kills my session suddenly when I am working out.  What I have is windows 2003/2008/2008 R2 servers and Windows 7 clients.  (WIN2K3 DC1/WIN2K8R2 DC2)

    Help Please :)

    Tuesday, February 28, 2012 11:33 AM

Answers

  • There is no way you can control or restrict domain admin group privileges at all.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Wednesday, February 29, 2012 5:00 PM
    • Marked as answer by Bruce-Liu Monday, March 5, 2012 8:14 AM
    Tuesday, February 28, 2012 11:50 AM
  • You can't limit access to a Domain Admin, these users are given full authority to the domain and there is a human "Trust" associated with this user.  If the user is making bad choices then it is the reponsibility of the admin's manager to take corrective action to this admin's bad behavior.  A machine process can't be used to correct a human flaw.  If you can't get them to change then it sounds like you need to log off and save your work.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Meinolf Weber Wednesday, February 29, 2012 5:00 PM
    • Marked as answer by Bruce-Liu Monday, March 5, 2012 8:14 AM
    Tuesday, February 28, 2012 1:02 PM

All replies

  • There is no way you can control or restrict domain admin group privileges at all.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Proposed as answer by Meinolf Weber Wednesday, February 29, 2012 5:00 PM
    • Marked as answer by Bruce-Liu Monday, March 5, 2012 8:14 AM
    Tuesday, February 28, 2012 11:50 AM
  • You can't limit access to a Domain Admin, these users are given full authority to the domain and there is a human "Trust" associated with this user.  If the user is making bad choices then it is the reponsibility of the admin's manager to take corrective action to this admin's bad behavior.  A machine process can't be used to correct a human flaw.  If you can't get them to change then it sounds like you need to log off and save your work.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://www.pbbergs.com    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    • Proposed as answer by Meinolf Weber Wednesday, February 29, 2012 5:00 PM
    • Marked as answer by Bruce-Liu Monday, March 5, 2012 8:14 AM
    Tuesday, February 28, 2012 1:02 PM
  • Hello,

    if you don't trust people don't make them admin.You cannot restrict a domain admin from anything, every change you made she/he can undo.

    Talk to the person about the problem or remove the account from the privileged security group.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, February 29, 2012 5:02 PM