question

MuratEr-8171 avatar image
0 Votes"
MuratEr-8171 asked DSPatrick answered

How Do I Prevent Domain Controller Changing?

Hi,
We have 3 domain controllers one of Master DC another one ADC and last one is Read Only DC.
Read Only DC is being used for remote office domain services.
If I login at RODC , I can click "change to domain controller" then changing domain.

Is there anyway to disable this attribute at schema or regedit? I don't want to change domain controller for any admin who can login RODC?

thanks. 134554-change-domain-controller-setting.png


windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DSPatrick commented

What problem does this cause? This only changes the active domain controller in that MMC instance.

--please don't forget to upvote and Accept as answer if the reply is helpful--



· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just checking if there's any progress or updates?

--please don't forget to upvote and Accept as answer if the reply is helpful--



0 Votes 0 ·
Thameur-BOURBITA avatar image
0 Votes"
Thameur-BOURBITA answered

Hi,

As mentioned by Patrick , you can change domain controller on MMC instance, it can be done from any machine where active directory tools installed (RODC,member server, workstation, domain controller).
If you want prevent any change launched from RODC servers, you should check the permission of each admin account allowed to login on RODC ,avoid put all admin account on domain admin group, and prevent all domain admin account to longon on RODC servers.

Please don't forget to mark helpful reply as answer

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MuratEr-8171 avatar image
0 Votes"
MuratEr-8171 answered

Hi Patrick and Bourbita,

You are right but our organization has different admins who have some permisson at Active Directory Console. On the other hand by default Domain users have permission to read some AD objects.

I think that, I can remove or change passive to change domain controller menu via schema setting or attribute setting.

If I can prevent this action by delegation, do you have any delegation sceranios?

Thanks.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Some ideas here.
https://www.rebeladmin.com/2018/02/step-step-guide-manage-active-directory-permissions-using-object-acls/


--please don't forget to upvote and Accept as answer if the reply is helpful--


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.