Re: Admin Acct
- From: "Cathy Moya [MS]" <camoya@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 18 Apr 2005 02:11:39 -0700
Hi,
We have an obligation in security documentation to discuss the least
permissions necessary to do a job. And it is true that you can administer
SMS without Domain Admin rights. The issues you list like troubleshooting
DHCP or WINs aren't SMS, so for us to say that you require domain admins
because you might need to administer those just isn't true. The most secure
administration is seldom the most convenient administration. We'll tell you
the least permissions so the product doesn't break, and then it's up to your
security administrators to decide organizationally where it is an acceptable
risk for expedience to trump security.
--
Cathy Moya, CISSP, MCSE: Security
Technical Writer, Windows Enterprise Management Division User Assistance
Check out the SMS Technical FAQ:
http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
This posting is provided AS IS with no warranties and confers no rights.
"my_key" <my_key@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5282442D-E748-4FAB-85C3-D326A861CB56@xxxxxxxxxxxxxxxx
> With SMS 2003 Deployed, supporting 15,000 mixed clients in an NT domain
> and
> 2000 in an AD domain. My company wants to create a new domain! Collapsing
> the
> others eventually.
> The central site is in the NT domain
>
> I am the only SMS admin, I am certified and have nearly 5 years, 18 hours
> a
> day, hands on experience. I presented a project plan suggesting a
> combination
> of stratagies based on the different domains and the lack of additional
> servers.
> I wanted to try and make things as seemless as possible, maintaining
> services, patch management, software distribution, remote tools and at the
> same time be prepared to assist in the new rollout. Unfortunately
> management
> wants to use advanced security, local admin rights and no domain admin
> rights
> for myself.
> they feel I only need rights to the sms servers and systems. I advised
> them
> it would be a nightmare and that I felt that it was not the appropriate
> method. We could apply advanced security once AD is deployed but that as
> the
> only SMS Admin it would present me with unimagineable management overhead.
> I
> believe that for Microsoft to state that SMS admins don't need domain
> accounts is very misleading!
>
> How do you troubleshoot corrupt clients or run scripts or do manual client
> installs. How do we use Network Monitor, trouble shoot wins, dns, dhcp or
> sites issues?. Try and think of doing day to day ops without domain admin
> accts. When you say admin rights as opposed to domain admin in your
> documentation the issue is blurred or misunderstood.
> Please advise.
.
- Follow-Ups:
- Re: Admin Acct
- From: my_key
- Re: Admin Acct
- From: my_key
- Re: Admin Acct
- References:
- Admin Acct
- From: my_key
- Admin Acct
- Prev by Date: Advanced client site assignment
- Next by Date: Re: Distribution Point directory structure question
- Previous by thread: Admin Acct
- Next by thread: Re: Admin Acct
- Index(es):
Relevant Pages
|
|
