Re: ActiveDirctory security questions
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Fri, 23 Dec 2005 00:44:51 -0500
Don't even think about changing the context of the services that come with Windows, you will just break it.
As for DA/EA/Administrators. When you get down to it, each can escalate to the others if they don't have those rights already. If DAs are not in the administators group of the DCs you will find things that don't work exactly as expected.
I really don't understand what you think you are going to accomplish by trying to lock down the admin groups and localsystem. Windows isn't designed to have you try and lock down those items and when you get down to it, you can't.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net
mschunk@xxxxxxxxxxxx wrote:
Thank you VERY much for your comprehensive reply....getting my head straight.
On DA's and EA's...I have but one domain in the forest, and I think you just taught me something new.
So, when a workstation/server is joined to a domain...DA is added to that PC's LOCAL Admins group by default. I've seen that. OK. EA's however, are not.
I assert then, that EA is a forest thing, DA is domain thing...and the EA's, by default, become members of the DA of each domain that is added to the forest...that DA's are, by default, added to the LocalAdmins of each comp that is joined...but that DA's do NOT _have_ to be members of the _domain's_ built-in administrators group. It's Just that way by default, like it is for newly joined PC's.
Am I getting warmer???
On SYSTEM. So they _ARE_ the same thing. ("LocalSystem" in services snapin = "System" in ACL security windows.)
Well, let me count the number of services. Oh my. There are a TON, as you know I'm sure. So, how feasible is it to run most services within a context other than localsystem?
event Log Clip Book Alerter COM+ event system Computer browser
...I don't want to list them all here...
What about "big" ones like:
Disk Manager Workstation (lanman) Sever (lanman)
...Telnet?
WMI services?
...Security Accounts Manager?
Geez. as I write I'm staring at the services list, and even w/ years of working with windows, I don't even know what half this stuff REALLY does.
What about drivers? I got an ATI card installed on the DC and it runs something I know little about: the "ATI Smart" and "ATI HotKeyPoller" services? Change account, bounce service and pray?
What about DNS and DHCP. As long as these two run in a context that has access to their data files...will they run?
Or am I wasting time? It just seams like LocalSystem is an awefully big hole.
...But, LocalSystem has power over only it's domain? or does it get FC of all child domains as well?
.
- Follow-Ups:
- Re: ActiveDirctory security questions
- From: mschunk
- Re: ActiveDirctory security questions
- References:
- ActiveDirctory security questions
- From: mschunk
- Re: ActiveDirctory security questions
- From: Joe Richards [MVP]
- Re: ActiveDirctory security questions
- From: mschunk
- ActiveDirctory security questions
- Prev by Date: Re: Force W2K client to a specific domian controller
- Next by Date: Re: Windows Server 2000 -> 2003 Upgrade
- Previous by thread: Re: ActiveDirctory security questions
- Next by thread: Re: ActiveDirctory security questions
- Index(es):
Relevant Pages
|
