Re: replication monitoring rights

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/27/05

• Next message: Jason: "Re: Binding to AD using LDAP over SSL"
• Previous message: Jason: "What is the SNMP version built-in to Windows 2003"
• In reply to: edwardb: "replication monitoring rights"
• Next in thread: BCE: "Re: replication monitoring rights"
• Reply: BCE: "Re: replication monitoring rights"
• Messages sorted by: [ date ] [ thread ]

---

Date: Wed, 26 Jan 2005 21:36:15 -0500

1. Actually this can be done with normal user rights if you use the right
things. The Repadmin and replmon tools use an RPC interface that forces you to
use enhanced rights. If you use iadstools DLL and scripts it reads the AD
attributes directly and dumps the info so can be done with a normal user id.

2. You don't need to be a da to do a setinfo. It depends entirely on the rights.

Overall kicking everyone out of DA's is the best thing you can do. I ran a
250,000 user global forest with 2 other guys, we three were the only ones with
DA or EA access. Everyone else had some level of delegated rights. I don't
generally recommend giving people full control over user objects, it tends to
give too much permissions especially when running Exchange.

   joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
edwardb wrote:
> We have recently gone through a strict security measure and removed
> pretty much everyone from domain admins and started to delegate every
> little task people need to do.
> There are 2 things I have questions about:
> 1. What rights are needed to perform AD replication monitoring when not
> a domain admin?
> 2. Using vbscript and the adsi interface, performing mass updates to
> user account. I have a feeling that .setinfo cannot be done as they are
> not longer domain admins, BUT, have full delegation to their users? Is
> there another permission needed for this?
> 
> Thanks.
> 

---

• Next message: Jason: "Re: Binding to AD using LDAP over SSL"
• Previous message: Jason: "What is the SNMP version built-in to Windows 2003"
• In reply to: edwardb: "replication monitoring rights"
• Next in thread: BCE: "Re: replication monitoring rights"
• Reply: BCE: "Re: replication monitoring rights"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: GNOME Login Problem ... I can open an xterm using any users account. ... has rights to access anything in thier directory of the NFS-mounted ... > I think that normal user doesn't have enough rights to access the nfs ... The local root user on the client machine ... (RedHat) RE: How does XP SP2 improve security for user ... to work on your machine only with admin rights. ... Therefore it is a lot better to use a normal user account for your daytime ... > Microsoft assumes that all users are having Users rights? ... (microsoft.public.windowsxp.general) RE: XP SECURITY SETTINGS ... While adding users to a computer as normal user does automatically take ... "Local Security Policy" tools to restrict the users rights and privileges ... Microsoft Certified Systems Engineer - Security ... (microsoft.public.windowsxp.security_admin) Re: script to disjoing/rejoin domain ... This posting is provided "AS IS" with no warranties, and confers no rights. ... only reply to Newsgroups ... to take it to workgroup and then rejoin domain for now without calling ... By default a normal user can join 10 machines to a domain. ... (microsoft.public.windows.server.general) Re: Delegation issue ... use the delegate control wizard. ... Try it on a test OU for a test user. ... A normal user without special rights can't shutdown the server normally. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)