Hello
Can someone please help me with the following question regarding CA Role Separation (thanks in advance)
I understand by default the 'Local Administrator' or 'Local Administrators Group' have certain high privileges on the CA itself.
I understand enabling 'Role Separation' stops a security principle (e.g. user) being a member of more than one of the pre-defined CA Role Based Administration roles. For example if Role Separation is enabled you cannot have both Audit and Backup rights.
If the above is correct, when you enable Role Separation does this also take away the default privileges the Local Administrator (and members of the Local Administrators Group) have on the CA?
Or
Does Role Separation simple stop the Local Administrator (or members of the Local Administrators Group) being assigned more than one of the CA Role Based roles (as above) but thereby still allow high privileges to the CA in any event.
The reason I ask is by default I believe Domain Admins group is automatically made a members of the Local Administrators Group on Domain Joined computers (and thereby the CA Server).
I do not want Domain Admins or Enterprise Admins having Rights to the CA (e.g. be able to perform CA tasks).
Therefore do I need to perform 'extra' tasks over and about enabling Role Separation (e.g. restricting membership of the local administrators group) to achieve the security I want?
Thanks All
AAnotherUser__
AAnotherUser__