Re: replication monitoring rights

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: BCE (dirwolf_at_speakeasy.net)
Date: 01/27/05 

Date: Wed, 26 Jan 2005 22:03:31 -0500

I agree and glad they finally did it, it took an audit the threat of
millions in fines to finnally get over the crying and removed every one.
These people are not that good at scripting and want to use replmon. 

-- 
BRIAN EDWARDO
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message 
news:u6Cb6jBBFHA.3416@TK2MSFTNGP09.phx.gbl...
> 1. Actually this can be done with normal user rights if you use the right 
> things. The Repadmin and replmon tools use an RPC interface that forces 
> you to use enhanced rights. If you use iadstools DLL and scripts it reads 
> the AD attributes directly and dumps the info so can be done with a normal 
> user id.
>
> 2. You don't need to be a da to do a setinfo. It depends entirely on the 
> rights.
>
>
> Overall kicking everyone out of DA's is the best thing you can do. I ran a 
> 250,000 user global forest with 2 other guys, we three were the only ones 
> with DA or EA access. Everyone else had some level of delegated rights. I 
> don't generally recommend giving people full control over user objects, it 
> tends to give too much permissions especially when running Exchange.
>
>   joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> edwardb wrote:
>> We have recently gone through a strict security measure and removed
>> pretty much everyone from domain admins and started to delegate every
>> little task people need to do.
>> There are 2 things I have questions about:
>> 1. What rights are needed to perform AD replication monitoring when not
>> a domain admin?
>> 2. Using vbscript and the adsi interface, performing mass updates to
>> user account. I have a feeling that .setinfo cannot be done as they are
>> not longer domain admins, BUT, have full delegation to their users? Is
>> there another permission needed for this?
>>
>> Thanks.
>>

Relevant Pages

  • Re: What are the user rights required in a domain to authorise DHCP?
    ... When I stated work around I was referring to whether or not there was a KB ... This posting is provided "AS IS" with no warranties, and confers no rights. ... required to delegate this right about 2yrs ago now.. ... If you want to delegate the right to Auth DHCP servers, ...
    (microsoft.public.windows.server.active_directory)
  • Re: What are the user rights required in a domain to authorise D
    ... my test setup. ... Santosh K. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... required to delegate this right about 2yrs ago now.. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Grant Administrative Access to a Domain Controller
    ... * This posting is provided "AS IS" with no warranties and confers no rights! ... to delegate the appropiate rights. ... Controller Security Policy are also options to log on as a service, ... to domain controllers to restart services, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Child Local Administrators
    ... delegating Active Directory Service Administration. ... Domain Configuration and DC Administor rights (both of which are ... I would prefer not to grant many admins write access to the configuration ... KB if you are not able to delegate just the required parts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation issue
    ... use the delegate control wizard. ... Try it on a test OU for a test user. ... A normal user without special rights can't shutdown the server normally. ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
    (microsoft.public.windows.server.active_directory)