Re: Admin accounts for Run As purposes only

From: Celery (Celery_at_discussions.microsoft.com)
Date: 12/19/04 

Date: Sun, 19 Dec 2004 08:41:01 -0800

Thanks to all...

I agree with the ideal world, but domain admins in the organisation is a
legacy problem inherited from NT4 days and now that we're finally
implementing AD, I'm trying to prevent the same anarchy that it was.

I know we can delegate alot of tasks now such as user account
administration, printer administration under AD delegation etc, but when
someone needed to be able to check groups linked to NTFS permissions on
folders across lots of servers, convenience took priority as well as
IT-illiterate management peer pressure.

Staff with domain admins got lazy and used their DA account everywhere on a
daily basis and it became habit to use that account rather than log off / on
as their other DA account...

I wanted to find a way of making users use their standard accounts at all
times and stop them using their DA account unless used for Run As purposes,
similarly like the "Deny log on locally privilege". Its a mad place here, I
know!

Incidentally, without DA privileges, what is the best practice for setting
up IT admin users the ability to see what security group is linked to a
folder, or being able to create a new folder resource and link new groups to
it? Make them a local administrator on each file server or CACLS append a
new security group over all data folders that contains IT admin staff with
full control? Also, if the same people need to troubleshoot servers,
services etc, make them Server Operators too?

Kind Regards

"Oli Restorick [MVP]" wrote:

> Hi
>
> If you've already messed around with the "Deny Log on Locally" privilege,
> you will have found that it applies to the runas command as well as
> interactive logons.
>
> I don't think a domain admin user should be logging in on any workstation,
> using runas or not. Domain controllers, yes. Workstations whose state you
> don't know, no.
>
> Not sure of a good solution for what you're trying to do. My feeling is
> that it's best to delegate the control you need. When they're fault-finding
> on a user's workstations, do your administrators need to be creating new
> domain admins, changing group policy, or modifying the payroll system? If
> not, they have no business using a domain admin password. In an ideal
> world, they shouldn't even have a domain admin account.
>
> Oli
>
>
>
> "Celery" <Celery@discussions.microsoft.com> wrote in message
> news:FA2E2633-7BB1-408A-84C2-FC3F22802FBF@microsoft.com...
> > Per best practices, I want to ensure that Domain Admins staff do not log
> > in
> > with their domain admin account, but with a standard account, and then use
> > their domain admin account for Run As only.
> > I know in this day and age, we should be able to trust DAs, but is there a
> > way of achieving the following scenario:
> >
> > A domain admin person will have two accounts, a standard account eg Fred,
> > and a domain admin account called FredDA. I want to allow them to log on
> > to
> > clients and servers using Fred and then use Run As and then enter their
> > Domain Admin credentials to carry out the necessary task. I therefore
> > want
> > the FredDA account to not be able to log on to a client or server but only
> > allow it for Run As only.
> >
> > I know this sounds drastic, but too many corners are being cut and sooner
> > or
> > later something serious will happen! It also safeguards against risks of
> > viruses and trojans with DA privileges...
> > Thanks for any responses!
>
>
>

Relevant Pages

  • Re: Permission Problems
    ... Create a new account for this user as appropriate. ... We are running Windows 2003 SBS as a Domain Controller and Exchange Server. ... Today a new employee took over an old workstation and had the Domain Admin ... folders is if I go directly to the server and open them locally. ...
    (microsoft.public.windows.server.sbs)
  • Re: Admin accounts for Run As purposes only
    ... the addition of new high-privilege accounts to run when a domain admin logs ... don't have enough servers to achieve a separation. ... At the end of the day, you have to trust your administrators, but it's easy ... > I know we can delegate alot of tasks now such as user account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Finding a Hacker
    ... definitely had the capability to obtain the domain admin credentials and may ... If the hacker did get in remotely using an administrator account on the ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Need to filter domain admin from GPO
    ... But think always about the part that a deny is the highest blocking you set and if you forget that you have set a deny or you are not in and someone else have to search for errors, it will be really heavy to find it. ... It's best practice to use a 2nd administrator account as your ... Block inheritance (I would have to move the domain admin from ... particular GPO using ACL deny. ...
    (microsoft.public.windows.group_policy)
  • Re: Admin accounts for Run As purposes only
    ... Administrators group of each server that needs to be managed. ... is this just as strong as a Domain Admin or is it more limited / ... > don't have enough servers to achieve a separation. ... >> I know we can delegate alot of tasks now such as user account ...
    (microsoft.public.windows.server.active_directory)