Re: Admin Acct
- From: my_key <mykey@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 18 Apr 2005 20:26:02 -0700
Hi Cathy. Thanks for your reply.
Given the scenario and the goal (to provide uninterrupted service) not to
mention there are no sites and the schema wasn't extended. How do you create
a static 1A in wins or, when you distribute a package and you get client
errors like path not found (distribution server even though its up). How do
you resolve the issue? In this particular case I had recommended we stay with
standard mode (tighten up security) until the new domain is deployed, which
is one of MSFT's recommended options. Than consider advanced. Don't forgret
I'm the cook, cleaner and bottle washer. What do you think?
"Cathy Moya [MS]" wrote:
> Hi,
> We have an obligation in security documentation to discuss the least
> permissions necessary to do a job. And it is true that you can administer
> SMS without Domain Admin rights. The issues you list like troubleshooting
> DHCP or WINs aren't SMS, so for us to say that you require domain admins
> because you might need to administer those just isn't true. The most secure
> administration is seldom the most convenient administration. We'll tell you
> the least permissions so the product doesn't break, and then it's up to your
> security administrators to decide organizationally where it is an acceptable
> risk for expedience to trump security.
>
> --
> Cathy Moya, CISSP, MCSE: Security
> Technical Writer, Windows Enterprise Management Division User Assistance
>
> Check out the SMS Technical FAQ:
> http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/default.mspx
> This posting is provided AS IS with no warranties and confers no rights.
>
> "my_key" <my_key@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:5282442D-E748-4FAB-85C3-D326A861CB56@xxxxxxxxxxxxxxxx
> > With SMS 2003 Deployed, supporting 15,000 mixed clients in an NT domain
> > and
> > 2000 in an AD domain. My company wants to create a new domain! Collapsing
> > the
> > others eventually.
> > The central site is in the NT domain
> >
> > I am the only SMS admin, I am certified and have nearly 5 years, 18 hours
> > a
> > day, hands on experience. I presented a project plan suggesting a
> > combination
> > of stratagies based on the different domains and the lack of additional
> > servers.
> > I wanted to try and make things as seemless as possible, maintaining
> > services, patch management, software distribution, remote tools and at the
> > same time be prepared to assist in the new rollout. Unfortunately
> > management
> > wants to use advanced security, local admin rights and no domain admin
> > rights
> > for myself.
> > they feel I only need rights to the sms servers and systems. I advised
> > them
> > it would be a nightmare and that I felt that it was not the appropriate
> > method. We could apply advanced security once AD is deployed but that as
> > the
> > only SMS Admin it would present me with unimagineable management overhead.
> > I
> > believe that for Microsoft to state that SMS admins don't need domain
> > accounts is very misleading!
> >
> > How do you troubleshoot corrupt clients or run scripts or do manual client
> > installs. How do we use Network Monitor, trouble shoot wins, dns, dhcp or
> > sites issues?. Try and think of doing day to day ops without domain admin
> > accts. When you say admin rights as opposed to domain admin in your
> > documentation the issue is blurred or misunderstood.
> > Please advise.
>
>
>
.
- References:
- Admin Acct
- From: my_key
- Re: Admin Acct
- From: Cathy Moya [MS]
- Admin Acct
- Prev by Date: Re: SMS 2003 and real-time replication
- Next by Date: Re: SMS 2003 and real-time replication
- Previous by thread: Re: Admin Acct
- Next by thread: HW Report
- Index(es):
Relevant Pages
|
|
