Re: Renaming Admin ID - Making Sys Admins Accountable
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Oct 2005 12:44:11 -0500
If they are 2003 member servers then you have remote access via the /console
switch.
--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
This posting is provided "AS IS" with no warranties, and confers no rights.
"hockeytown_rox" <hockeytownrox@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C9FA7CD9-4438-4C3E-904B-ED47099CE7F2@xxxxxxxxxxxxxxxx
> Paul,
>
> Thanks. I think their point was that these apps dont necessarily need
> domain admin credentials to run...but that they need to be launched
> somehow
> from the server. Once they login and launch the application, they stated
> they then need to be able to administer the server from the console as
> well
> to do administrative tasks at the box as well. They couldnt just log off
> that power user to do admin tasks because the apps have to always be
> running.
> These are member servers on a 2003 domain.
>
> "Paul Bergson" wrote:
>
>> These legacy apps are a danger to your network security. Why would they
>> possibly need Domain Admin credentials, I don;t believe they need that.
>> Find out what particular permission set they really need and then log
>> these
>> machines on that way. They probably need access to resources on other
>> machines and the EASIEST way has been to just give these apps Domain
>> Admin
>> privileges. What if someone wrote a script to create an account in one
>> of
>> these apps that created an admin account or elevated someone to admin
>> status, etc... Get rid of these apps running as admin and do as you
>> suggested.
>>
>> Also if you were to migrate these boxes to server 2003 you could mstsc
>> /console and remotely run the console and still keep your two sessions up
>> and running.
>>
>> --
>>
>>
>> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "hockeytown_rox" <hockeytownrox@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> message
>> news:80C69C6E-C159-41FB-A4E8-B357FD10B4EB@xxxxxxxxxxxxxxxx
>> > We're about to embark upon renaming the Administrator ID and change the
>> > password in a 2000 AD environment. We then were going to make any
>> > system
>> > administrator create a separate service admin ID with their name that
>> > gives
>> > them domain admin permissions to do their work on AD and the 2000
>> > servers.
>> >
>> > However, several of them have pushed back saying they have at least 3
>> > or
>> > four servers that there are critical applications that MUST be run from
>> > the
>> > server console. These applications are critical to the business and
>> > are
>> > older legacy apps and do NOT run as services. They have to be launched
>> > and
>> > always be running. We recommend they launch these from a terminal
>> > session
>> > but this domain is running in Administrative mode for terminal services
>> > which
>> > leaves only two licenses or connections per box so that takes up one of
>> > the
>> > connections.
>> >
>> > We suggested creating a backup operator or power user ID for logging
>> > into
>> > the console and running these apps...but the Admins came back and
>> > argued
>> > that
>> > some tasks just HAVE to be performed at the console such as installing
>> > McAfee
>> > updates and other software, thus they could not log off the power use
>> > to
>> > do
>> > such tasks. The console must be logged in with admin permissions.
>> >
>> > Any advice out there on how to maintain auditing and accountability for
>> > sys
>> > admins by creating their own IDs, renaming the Administrator account
>> > but
>> > then
>> > also using an ID to log onto a console (not a session) for legacy apps
>> > that
>> > must be run this way???
>>
>>
>>
.
- References:
- Re: Renaming Admin ID - Making Sys Admins Accountable
- From: Paul Bergson
- Re: Renaming Admin ID - Making Sys Admins Accountable
- From: hockeytown_rox
- Re: Renaming Admin ID - Making Sys Admins Accountable
- Prev by Date: Re: Delegation of AD control and modification of surname
- Next by Date: Re: DC Apparently lost authentication to domain
- Previous by thread: Re: Renaming Admin ID - Making Sys Admins Accountable
- Next by thread: Verify computer account in AD belongs to local computer?
- Index(es):
Relevant Pages
|
