Re: computeraccount in admingroup?

Hey Joe,

thanks very much for that detailed description!

Greetings, Joe.

Joe Richards [MVP] schrieb:

> I am not sure I understand your questions.
>
> However... Computer accounts in AD are a type of user account. The computers
> authenticates to those accounts when the machines boot up and gets their
> kerberos tickets just like users do. They constantly renew those tickets just
> like a user who stays logged on. If that computer is added to a domain group,
> that group is in security token of the computer (and in the kerb creds).
>
> Anything that that group has access to the computer itself will have access too
> (note that this doesn't mean users on the computer necessarily, only processes
> running the computer's context such as localsystem, localservice, and
> networkservice).
>
> If you add the AD computer account (or any AD group) to another computer's admin
> group, it will work just like a user has been added to the admin group. An
> attempt from the computer (not users logged onto the computer) to connect to
> that other computer will result in getting kerb service ticket which will
> authenticate the computer on the other computer and it will add the
> administrators group SID to the local token so that the first computer has admin
> rights on the second computer.
>
> Again, this is all just like normal users, you just have to be in the security
> context of the computer which is the contexts mentioned above. Getting there
> isn't tough if you have more than user rights to the specific computer. You just
> have to get the AT service or some other service to do what you want as
> localsystem or networkservice. Child's play actually.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Paul Bergson wrote:
> > How when the remote machine has a secret password? Am I misunderstanding
> > the scenario?
> >

.

Relevant Pages

  • Re: Removing old computer accounts
    ... accounts & also can delete computer accounts not active morethan specified ... days with additional arguments with that command. ... You may be referring to Joe Richards' free oldcmp utility: ...
    (microsoft.public.windows.server.scripting)
  • Re: Maximum machine account password age
    ... microsoft.public.windows.server.security news group, Joe Richards ... you could have password policy of 30 days and computers ... Paul Adare - MVP Virtual Machines ... It all began with Adam. ...
    (microsoft.public.windows.server.security)
  • Re: Active Directory Fails as LDAP Address Book
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... A similar method is used with Entourage in grabbing the GAL (Microsoft Entourage is an web http based email client and uses LDAP directories). ...
    (microsoft.public.windows.server.active_directory)
  • Re: Calling IMailboxStore.CreateMailbox fails
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... I have the requirement that I need to assign a mailbox to each ...
    (microsoft.public.exchange.development)
  • Re: I was just wondering
    ... I think people are tried of false marketing claims ... Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.security)