A short notice about Administrator accounts privileges.
I guess you have noted that as an administrator (local or domain) you always has the possibility to take ownership of files, folders and objects in AD. Even if you don’t have any ACEs specified on that folder you always has the privilege to take ownership and change the ACLs.
Here’s the magic, the privilege. All users in a Windows network has the privilege to do something. E.g. logon to a computer, shut down a computer, change the system time. Privileges differ from access rights in two ways.
- Privileges control access to system resources and system-related tasks, whereas access rights control access to securable objects.
- A system administrator assigns privileges to user and group accounts, whereas the system grants or denies access to a securable object based on the access rights granted in the ACEs in the object’s DACL.
Administrator accounts has the highest privileges, local system has of course also high privileges.
If we look at the Administrators in Active Directory. Members of the default admin groups: Built-In Administrators, Domain Admins (DA) and Enterprise Admins (EA). They has one of the highest set of privileges because they are at the top of the domain administrative accounts.
One example:
If a user is member of the DA group, the user has the privilege to add himself to one of the other two groups and grants him access to e.g. forest wide configuration capabilities.
The only way to completely remove unwanted access to the user is to remove him from all the High-Privileged groups. It won’t solve anything if you try to do it backwards by changing the ACLs on an object. As a domain admin, the user has the privilege to grant himself access.
What do we get out of this little example?
When securing administrative accounts these three groups with its members is considered effective equivalent. Even dough they have different ACLs in the directory partitions and domain/forest wide access, the members can give themselves permissions they feel needed to do its work in the entire AD domain and possibly forest.
This is by design and should not be tampered with, don’t try to remove the default behavior by using Restricted Groups and User Rights Assignments to remove access, it could create problems when doing a Service Pack installation or a domain upgrade for example.
Focus on creating a good delegation model where you don’t need any memberships of the High-Privileged Groups.