Re: Admin accounts for Run As purposes only

From: Celery (Celery_at_discussions.microsoft.com)
Date: 12/19/04

Next message: Ulf B. Simon-Weidner [MVP]: "Re: AD Users and Computers"
Previous message: neo [mvp outlook]: "Windows 2003's Delegation control wizard and property sets"
In reply to: Oli Restorick [MVP]: "Re: Admin accounts for Run As purposes only"
Next in thread: Guido G: "Re: Admin accounts for Run As purposes only"
Reply: Guido G: "Re: Admin accounts for Run As purposes only"
Messages sorted by: [ date ] [ thread ]

Date: Sun, 19 Dec 2004 10:39:08 -0800

Thanks Oli. Totally agree with your points.

Its my intention to remove them from DA group and put them into the local
Administrators group of each server that needs to be managed.

But... If I put them into the builtin local Administrators group on a domain
controller, is this just as strong as a Domain Admin or is it more limited /
localised?

Cheers!

"Oli Restorick [MVP]" wrote:

> Making someone an administrator of a server is quite different to making
> them a domain admin and is the appropriate course of action in many
> circumstances.
>
> Basically, by taking someone out of the domain admins group and making them
> administrators of all the machines they need to manage, you still achieve a
> great deal of functionality and you also prevent an attacker from scripting
> the addition of new high-privilege accounts to run when a domain admin logs
> in.
>
> You have to strike a balance. It gets difficult to achieve this sort of
> thing when you're using domain controllers as file servers and when you
> don't have enough servers to achieve a separation.
>
> At the end of the day, you have to trust your administrators, but it's easy
> to slip into thinking that everything that is done under an administrator's
> account was done by the person sat at the console and not by some script or
> executable that just happens to be running in the background.
>
> Regards
>
> Oli
>
>
>
>
> "Celery" <Celery@discussions.microsoft.com> wrote in message
> news:8E1F3D14-3B0F-4495-BE10-FE871A366EBD@microsoft.com...
> > Thanks to all...
> >
> > I agree with the ideal world, but domain admins in the organisation is a
> > legacy problem inherited from NT4 days and now that we're finally
> > implementing AD, I'm trying to prevent the same anarchy that it was.
> >
> > I know we can delegate alot of tasks now such as user account
> > administration, printer administration under AD delegation etc, but when
> > someone needed to be able to check groups linked to NTFS permissions on
> > folders across lots of servers, convenience took priority as well as
> > IT-illiterate management peer pressure.
> >
> > Staff with domain admins got lazy and used their DA account everywhere on
> > a
> > daily basis and it became habit to use that account rather than log off /
> > on
> > as their other DA account...
> >
> > I wanted to find a way of making users use their standard accounts at all
> > times and stop them using their DA account unless used for Run As
> > purposes,
> > similarly like the "Deny log on locally privilege". Its a mad place here,
> > I
> > know!
> >
> > Incidentally, without DA privileges, what is the best practice for setting
> > up IT admin users the ability to see what security group is linked to a
> > folder, or being able to create a new folder resource and link new groups
> > to
> > it? Make them a local administrator on each file server or CACLS append a
> > new security group over all data folders that contains IT admin staff with
> > full control? Also, if the same people need to troubleshoot servers,
> > services etc, make them Server Operators too?
> >
> > Kind Regards
> >
> >
> > "Oli Restorick [MVP]" wrote:
> >
> >> Hi
> >>
> >> If you've already messed around with the "Deny Log on Locally" privilege,
> >> you will have found that it applies to the runas command as well as
> >> interactive logons.
> >>
> >> I don't think a domain admin user should be logging in on any
> >> workstation,
> >> using runas or not. Domain controllers, yes. Workstations whose state
> >> you
> >> don't know, no.
> >>
> >> Not sure of a good solution for what you're trying to do. My feeling is
> >> that it's best to delegate the control you need. When they're
> >> fault-finding
> >> on a user's workstations, do your administrators need to be creating new
> >> domain admins, changing group policy, or modifying the payroll system?
> >> If
> >> not, they have no business using a domain admin password. In an ideal
> >> world, they shouldn't even have a domain admin account.
> >>
> >> Oli
> >>
> >>
> >>
> >> "Celery" <Celery@discussions.microsoft.com> wrote in message
> >> news:FA2E2633-7BB1-408A-84C2-FC3F22802FBF@microsoft.com...
> >> > Per best practices, I want to ensure that Domain Admins staff do not
> >> > log
> >> > in
> >> > with their domain admin account, but with a standard account, and then
> >> > use
> >> > their domain admin account for Run As only.
> >> > I know in this day and age, we should be able to trust DAs, but is
> >> > there a
> >> > way of achieving the following scenario:
> >> >
> >> > A domain admin person will have two accounts, a standard account eg
> >> > Fred,
> >> > and a domain admin account called FredDA. I want to allow them to log
> >> > on
> >> > to
> >> > clients and servers using Fred and then use Run As and then enter their
> >> > Domain Admin credentials to carry out the necessary task. I therefore
> >> > want
> >> > the FredDA account to not be able to log on to a client or server but
> >> > only
> >> > allow it for Run As only.
> >> >
> >> > I know this sounds drastic, but too many corners are being cut and
> >> > sooner
> >> > or
> >> > later something serious will happen! It also safeguards against risks
> >> > of
> >> > viruses and trojans with DA privileges...
> >> > Thanks for any responses!
> >>
> >>
> >>
>
>
>

Next message: Ulf B. Simon-Weidner [MVP]: "Re: AD Users and Computers"
Previous message: neo [mvp outlook]: "Windows 2003's Delegation control wizard and property sets"
In reply to: Oli Restorick [MVP]: "Re: Admin accounts for Run As purposes only"
Next in thread: Guido G: "Re: Admin accounts for Run As purposes only"
Reply: Guido G: "Re: Admin accounts for Run As purposes only"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Server Security
... In my opinion you want accountability for administrators and each administrator ... "The" administrator account should not be used and given a very long ... make sure that if there is sensitive information on that server, ... > name with domain admin rights on each. ...
(microsoft.public.win2000.security)
Re: Need limited domain admin rights user account.
... Delegate Control Wizard. ... it added Account Operators I assumed for the password ... the domain without making them a Domain Admin? ... > when working backwards from Administrators. ...
(microsoft.public.windows.server.security)
Domain Accounts
... >Administrator account to the local admin group in XP Pro? ... >the Domain Admin, I am not able to run certain programs. ... >then into Groups, then into Administrators. ...
(microsoft.public.windowsxp.security_admin)
Changing Administrators password
... Currently we use the domain administrators ... >We have created a service account which we will now use ... >the admin password we must find what servers use the ... use Windows Resource Kit tools, ...
(microsoft.public.security)
Re: Admin accounts for Run As purposes only
... I know we can delegate alot of tasks now such as user account ... folders across lots of servers, convenience took priority as well as ... Also, if the same people need to troubleshoot servers, ... they have no business using a domain admin password. ...
(microsoft.public.windows.server.active_directory)