Re: Admin accounts for Run As purposes only
From: Guido G (guidoDOTgrillenmeierAThpANOTHERDOTcom)
Date: 12/20/04
- Next message: Jake: "Can't Open Admin Templates"
- Previous message: Guido G: "Re: Trying to add a UPN suffix to an Organizational unit"
- In reply to: Celery: "Re: Admin accounts for Run As purposes only"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Admin accounts for Run As purposes only"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 20 Dec 2004 22:56:44 +0100
if the machine you want to delegate administrative rights to is a DC, then
the approach to grant your folks only local admin rights won't work... -
these rights are naturally sufficient to do anything in a domin (at least to
re-gain DA rights and then to do anything...)
/Guido
"Celery" <Celery@discussions.microsoft.com> wrote in message
news:68618CF9-380C-4E0D-B282-97D07672AAE3@microsoft.com...
> Thanks Oli. Totally agree with your points.
>
> Its my intention to remove them from DA group and put them into the local
> Administrators group of each server that needs to be managed.
>
> But... If I put them into the builtin local Administrators group on a
domain
> controller, is this just as strong as a Domain Admin or is it more limited
/
> localised?
>
> Cheers!
>
> "Oli Restorick [MVP]" wrote:
>
> > Making someone an administrator of a server is quite different to making
> > them a domain admin and is the appropriate course of action in many
> > circumstances.
> >
> > Basically, by taking someone out of the domain admins group and making
them
> > administrators of all the machines they need to manage, you still
achieve a
> > great deal of functionality and you also prevent an attacker from
scripting
> > the addition of new high-privilege accounts to run when a domain admin
logs
> > in.
> >
> > You have to strike a balance. It gets difficult to achieve this sort of
> > thing when you're using domain controllers as file servers and when you
> > don't have enough servers to achieve a separation.
> >
> > At the end of the day, you have to trust your administrators, but it's
easy
> > to slip into thinking that everything that is done under an
administrator's
> > account was done by the person sat at the console and not by some script
or
> > executable that just happens to be running in the background.
> >
> > Regards
> >
> > Oli
> >
> >
> >
> >
> > "Celery" <Celery@discussions.microsoft.com> wrote in message
> > news:8E1F3D14-3B0F-4495-BE10-FE871A366EBD@microsoft.com...
> > > Thanks to all...
> > >
> > > I agree with the ideal world, but domain admins in the organisation is
a
> > > legacy problem inherited from NT4 days and now that we're finally
> > > implementing AD, I'm trying to prevent the same anarchy that it was.
> > >
> > > I know we can delegate alot of tasks now such as user account
> > > administration, printer administration under AD delegation etc, but
when
> > > someone needed to be able to check groups linked to NTFS permissions
on
> > > folders across lots of servers, convenience took priority as well as
> > > IT-illiterate management peer pressure.
> > >
> > > Staff with domain admins got lazy and used their DA account everywhere
on
> > > a
> > > daily basis and it became habit to use that account rather than log
off /
> > > on
> > > as their other DA account...
> > >
> > > I wanted to find a way of making users use their standard accounts at
all
> > > times and stop them using their DA account unless used for Run As
> > > purposes,
> > > similarly like the "Deny log on locally privilege". Its a mad place
here,
> > > I
> > > know!
> > >
> > > Incidentally, without DA privileges, what is the best practice for
setting
> > > up IT admin users the ability to see what security group is linked to
a
> > > folder, or being able to create a new folder resource and link new
groups
> > > to
> > > it? Make them a local administrator on each file server or CACLS
append a
> > > new security group over all data folders that contains IT admin staff
with
> > > full control? Also, if the same people need to troubleshoot servers,
> > > services etc, make them Server Operators too?
> > >
> > > Kind Regards
> > >
> > >
> > > "Oli Restorick [MVP]" wrote:
> > >
> > >> Hi
> > >>
> > >> If you've already messed around with the "Deny Log on Locally"
privilege,
> > >> you will have found that it applies to the runas command as well as
> > >> interactive logons.
> > >>
> > >> I don't think a domain admin user should be logging in on any
> > >> workstation,
> > >> using runas or not. Domain controllers, yes. Workstations whose
state
> > >> you
> > >> don't know, no.
> > >>
> > >> Not sure of a good solution for what you're trying to do. My feeling
is
> > >> that it's best to delegate the control you need. When they're
> > >> fault-finding
> > >> on a user's workstations, do your administrators need to be creating
new
> > >> domain admins, changing group policy, or modifying the payroll
system?
> > >> If
> > >> not, they have no business using a domain admin password. In an
ideal
> > >> world, they shouldn't even have a domain admin account.
> > >>
> > >> Oli
> > >>
> > >>
> > >>
> > >> "Celery" <Celery@discussions.microsoft.com> wrote in message
> > >> news:FA2E2633-7BB1-408A-84C2-FC3F22802FBF@microsoft.com...
> > >> > Per best practices, I want to ensure that Domain Admins staff do
not
> > >> > log
> > >> > in
> > >> > with their domain admin account, but with a standard account, and
then
> > >> > use
> > >> > their domain admin account for Run As only.
> > >> > I know in this day and age, we should be able to trust DAs, but is
> > >> > there a
> > >> > way of achieving the following scenario:
> > >> >
> > >> > A domain admin person will have two accounts, a standard account eg
> > >> > Fred,
> > >> > and a domain admin account called FredDA. I want to allow them to
log
> > >> > on
> > >> > to
> > >> > clients and servers using Fred and then use Run As and then enter
their
> > >> > Domain Admin credentials to carry out the necessary task. I
therefore
> > >> > want
> > >> > the FredDA account to not be able to log on to a client or server
but
> > >> > only
> > >> > allow it for Run As only.
> > >> >
> > >> > I know this sounds drastic, but too many corners are being cut and
> > >> > sooner
> > >> > or
> > >> > later something serious will happen! It also safeguards against
risks
> > >> > of
> > >> > viruses and trojans with DA privileges...
> > >> > Thanks for any responses!
> > >>
> > >>
> > >>
> >
> >
> >
- Next message: Jake: "Can't Open Admin Templates"
- Previous message: Guido G: "Re: Trying to add a UPN suffix to an Organizational unit"
- In reply to: Celery: "Re: Admin accounts for Run As purposes only"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Admin accounts for Run As purposes only"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
