Re: computeraccount in admingroup?

I guess that is correct but they will have to have significant rights to
spawn the task as a system account. I have only seen local admins do this,
but I'm sure you can tweak rights to do this. So no average user or power
user on this server is going to be able to do this only adminstrating type
accounts.



--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:%230KMbMmGGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
>I am not sure I understand your questions.
>
> However... Computer accounts in AD are a type of user account. The
> computers authenticates to those accounts when the machines boot up and
> gets their kerberos tickets just like users do. They constantly renew
> those tickets just like a user who stays logged on. If that computer is
> added to a domain group, that group is in security token of the computer
> (and in the kerb creds).
>
> Anything that that group has access to the computer itself will have
> access too (note that this doesn't mean users on the computer necessarily,
> only processes running the computer's context such as localsystem,
> localservice, and networkservice).
>
> If you add the AD computer account (or any AD group) to another computer's
> admin group, it will work just like a user has been added to the admin
> group. An attempt from the computer (not users logged onto the computer)
> to connect to that other computer will result in getting kerb service
> ticket which will authenticate the computer on the other computer and it
> will add the administrators group SID to the local token so that the first
> computer has admin rights on the second computer.
>
> Again, this is all just like normal users, you just have to be in the
> security context of the computer which is the contexts mentioned above.
> Getting there isn't tough if you have more than user rights to the
> specific computer. You just have to get the AT service or some other
> service to do what you want as localsystem or networkservice. Child's play
> actually.
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Paul Bergson wrote:
>> How when the remote machine has a secret password? Am I misunderstanding
>> the scenario?
>>


.

Relevant Pages

  • Re: Windows 2003 Users vs Software
    ... You need to have both an admin and a limited account ... >> as a limited user, to effect, "the software has not been installed ... The users do not have rights to install programs. ...
    (microsoft.public.security)
  • Re: Reboot command no longer works in Task Scheduler
    ... User rights assignment are set with a GPO located under Computer configuration, windows settings, security settings,local policies. ... Check there if the account, even the domain admin has the needed rights. ...
    (microsoft.public.win2000.general)
  • Re: Lost admin access to ADAM
    ... Firewall may be doing harm here. ... SDE, DS Admin eXperience ... This posting is provided "AS IS" with no warranties, and confers no rights. ... User account: NETWORK SERVICE ...
    (microsoft.public.windows.server.active_directory)
  • Re: Lost admin access to ADAM
    ... admins) as ADAM admin principal, as opposed to a specific user. ... use your domain account to connect (provided this account is a member of ... This posting is provided "AS IS" with no warranties, and confers no rights. ... If I install with my account (which has has local ...
    (microsoft.public.windows.server.active_directory)
  • Re: Lost admin access to ADAM
    ... User account: NETWORK SERVICE ... admins) as ADAM admin principal, as opposed to a specific user. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... If I install with my account (which has has local ...
    (microsoft.public.windows.server.active_directory)