Re: Admin Acct
- From: my_key <mykey@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 18 Apr 2005 19:12:01 -0700
What would you say are the least pemissions, taking into account that
scripts are being used to install or remove the clients or if a registry
modification is needed? I also noticed that many of the subscibers have DM
accts. I understand your co. position on security. You don't think this
situation would be a easier with those rights?
"Cathy Moya [MS]" wrote:
> Hi,
> We have an obligation in security documentation to discuss the least
> permissions necessary to do a job. And it is true that you can administer
> SMS without Domain Admin rights. The issues you list like troubleshooting
> DHCP or WINs aren't SMS, so for us to say that you require domain admins
> because you might need to administer those just isn't true. The most secure
> administration is seldom the most convenient administration. We'll tell you
> the least permissions so the product doesn't break, and then it's up to your
> security administrators to decide organizationally where it is an acceptable
> risk for expedience to trump security.
>
> --
> Cathy Moya, CISSP, MCSE: Security
> Technical Writer, Windows Enterprise Management Division User Assistance
>
> Check out the SMS Technical FAQ:
> http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
> This posting is provided AS IS with no warranties and confers no rights.
>
> "my_key" <my_key@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:5282442D-E748-4FAB-85C3-D326A861CB56@xxxxxxxxxxxxxxxx
> > With SMS 2003 Deployed, supporting 15,000 mixed clients in an NT domain
> > and
> > 2000 in an AD domain. My company wants to create a new domain! Collapsing
> > the
> > others eventually.
> > The central site is in the NT domain
> >
> > I am the only SMS admin, I am certified and have nearly 5 years, 18 hours
> > a
> > day, hands on experience. I presented a project plan suggesting a
> > combination
> > of stratagies based on the different domains and the lack of additional
> > servers.
> > I wanted to try and make things as seemless as possible, maintaining
> > services, patch management, software distribution, remote tools and at the
> > same time be prepared to assist in the new rollout. Unfortunately
> > management
> > wants to use advanced security, local admin rights and no domain admin
> > rights
> > for myself.
> > they feel I only need rights to the sms servers and systems. I advised
> > them
> > it would be a nightmare and that I felt that it was not the appropriate
> > method. We could apply advanced security once AD is deployed but that as
> > the
> > only SMS Admin it would present me with unimagineable management overhead.
> > I
> > believe that for Microsoft to state that SMS admins don't need domain
> > accounts is very misleading!
> >
> > How do you troubleshoot corrupt clients or run scripts or do manual client
> > installs. How do we use Network Monitor, trouble shoot wins, dns, dhcp or
> > sites issues?. Try and think of doing day to day ops without domain admin
> > accts. When you say admin rights as opposed to domain admin in your
> > documentation the issue is blurred or misunderstood.
> > Please advise.
>
>
>
.
- References:
- Admin Acct
- From: my_key
- Re: Admin Acct
- From: Cathy Moya [MS]
- Admin Acct
- Prev by Date: Re: Blank Desktop / No Icons
- Next by Date: Re: SMS 2003 and real-time replication
- Previous by thread: Re: Admin Acct
- Next by thread: Re: Admin Acct
- Index(es):
Relevant Pages
|
