Re: Security permissions bug or inheritant permissions??
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/11/04
- Next message: Alexander Suhovey: "Re: bulk imports"
- Previous message: Herb Martin: "Re: NTDS replication problems"
- In reply to: Kevin Buchanan: "Re: Security permissions bug or inheritant permissions??"
- Next in thread: Kevin Buchanan: "Re: Security permissions bug or inheritant permissions??"
- Reply: Kevin Buchanan: "Re: Security permissions bug or inheritant permissions??"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 11 Jul 2004 18:32:41 -0400
I think you are still missing my point. If you allow someone to be an
administrator (a true admin, not someone delegated), they are for all intents
and purposes a domain admin and an enterprise admin. The only reason they can't
get those is if they prevent themselves.
Most everything should be delegated off. As I mentioned, we had 9 domains
comprising 250,000 users on 400 domain controllers across the world with 3
people with native admin rights. Everyone else was delegated.
There is a ton of flexibility in the AD delegation model below native admin. I
disagree when you say there is admin and there is user. It is only correct if
you mean native admin. If you mean user with admin like rights, then that is
mostly possible to delegate. If it anything for delegating rights on a Domain
Controller then no, but then the DC is a KDC and in many places a CA and as they
always say for all of those services whether it is Windows or Unix or mainframe,
you don't share power on those boxes.
You can delegate user administration to the nth degree. Ditto for computer admin
and group admin.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Kevin Buchanan wrote: > It is priviledge elevation (see my original post). > > The bottom line: there isn't enough granularity of security and we have > tried delegating security - it just isn't flexible enough. SO - they > (domain admins) will remain as they are so they can do their job. It is > just too bad that you can't govern their access/controls. Just as I have > always believed and known, and Joe admits it - either they are an admin or > they aren't. > > We can agree to disagree - but there just isn't enough granularity of > control for domain admins. They still can have more control than I want to > allow. > > -KB > > > > > "sogjin" <none@none.com> wrote in message > news:eXzYS72ZEHA.996@TK2MSFTNGP12.phx.gbl... > >>Soryy, guys, I don't get it. Are you saying that any (sub)domain admin in >>the forrest can add himself to EA security group? Sounds like privilege >>elvation bug for me :) >> >> >>"Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message >>news:Xns9524BFF9374casey01@207.46.248.16... >> >>>"Kevin Buchanan" <msnewsgroup@misnet.info> said >>> >>> >>>>Then I guess will be continue as we have worked for past 4-5 years. I >> >>hope >> >>>>someone from Microsoft is "listening". There needs to be security >>>>granularity from the top down! >>>> >>> >>>What Joe has already said is that there is already granularity > > available, > >>but >> >>>you need to set it up. >>>If you have 'administrators' that you don't want to have full domain > > admin > >>>rights, remove them from the domain admins group and use delegation to > > set > >>>the permissions you want them to have. >>> >>>It is not a Microsost problem if you add people to the domain admins > > group > >>>who should not be domain admins. >>> >>>-- >>>Andy. >> >> > >
- Next message: Alexander Suhovey: "Re: bulk imports"
- Previous message: Herb Martin: "Re: NTDS replication problems"
- In reply to: Kevin Buchanan: "Re: Security permissions bug or inheritant permissions??"
- Next in thread: Kevin Buchanan: "Re: Security permissions bug or inheritant permissions??"
- Reply: Kevin Buchanan: "Re: Security permissions bug or inheritant permissions??"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
