How do I prevent Domain Admins and Administrators from managing objects in DRA without explicitly de (NETIQKB37843)

How do I prevent Domain Admins and Administrators from managing objects in DRA without explicitly delegating powers to them?

How do I remove the built-in Administrators from Managed Domains Assistant Admin Group?
How do I delete Administrators from Managed Domains?

What is the purpose of the Administrators from Managed Domains AA Group?

When you install Directory and Resource Administrator (DRA), several pre-defined ActiveViews are created. These Built-in ActiveViews such as Objects Current User Manages as Windows Administrator ActiveView includes all objects in a domain where a user is an administrator. This ActiveView associates the Administrators from Managed Domains Assistant Admin with the DRA Administrator role. The Administrators from Managed Domains Assistant Admin includes all members of the Administrators and Domain Admins groups. This ensures that Windows NT and Windows 2000/2003 administrators can perform the same functions in DRA as they can have using native tools.  However, in some situations this may not be desired. For example, if the Domain Admins have been denied access to several OUs in the native tools they will be able to connect to DRA and view those OUs because the DRA service account may have access to those.  In such cases, the following steps can be performed on the Primary DRA server to un-associate the administrators from the Objects Current User Manages as Windows Administrator ActiveView and Assistant Admin group in DRA.  Once the change is completed on the Primary DRA server, please restart the NetIQ Administration Server Service and then perform a Multi-Master Synchronization to push this change to the Secondaries. The steps are as follows:

1. Go to Start |Run.
2. In the Open field type Regedt32.
3. Click OK.
4. Select the key under HKEY_LOCAL_MACHINE | Software | Mission Critical Software | OnePoint | Administration | Data | Modules | Security | Deputy, which has Administrators from Managed Domains in the $McsNameValue field displayed in the right-hand pane.
5. Click the Edit menu.
6. Select Delete.
7. Click OK.
8. Restart the NetIQ Administration Server service for the change to take effect.

Note

This workaround is not supported and has not been fully tested.

An Enhancement Request that does not involve a registry hack has been opened with Development to include this functionality in a future version of Directory and Resource Administrator.

Note

For more information on how to perform the above steps in version 6.x, please refer to the following knowledge base article

NETIQKB6298: Is it possible to prevent Domain Admins from being associated with the Built-in Domain Admins ActiveView?

https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB6298

Beginning in DRA version 8.1 SP1 and later, there is a supported process to accomplish this:

DRA Provides a Utility to Remove and Restore the Administrators from Managed Domains Assistant Admin Group

DRA now provides the ModifyManagedDomainAA utility that allows you to remove the AA Group, Administrators from Managed Domains. You can later on use this utility to restore this AA group to DRA. The ModifyManagedDomainAA utility restarts the NetIQ Administration service when you use the utility to remove or restore the Administrators from Managed Domains AA group. By default, the ModifyManageDomainAA.exe file is located in the Program Files\NetIQ\DRA folder.

To resolve this problem upgrade to the latest version of DRA.

Formerly known as NETIQKB37843

Warning: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. NetIQ Technical Support cannot guarantee that problems resulting from the incorrect use of the Registry Editor can be resolved. Make sure that you back up your Registry prior to making any changes.