Re: What is easier: to delegate or to use ACLs?
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/14/05
- Next message: Emma: "AD/DNS and Novell"
- Previous message: aJd: "RE: time server help!!!"
- In reply to: Gera: "Re: What is easier: to delegate or to use ACLs?"
- Next in thread: Gera: "Re: What is easier: to delegate or to use ACLs?"
- Reply: Gera: "Re: What is easier: to delegate or to use ACLs?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 13 Jan 2005 20:47:53 -0500
We had a forest of 11 domains, ~250,000 users, ~150,000 contacts, ~2000 servers,
~400 domain controllers distributed around the world, ~100,000 groups, ~200,000
workstations, plus several hundred UNIX kerberized machines (this was growing,
should eventually get to about ~5000).
For all of this we had three (3) domain admin analysts, one (1) supervisor above
us who had domain admin access, the default admin ID's with random 20 character
passwords in envelopes in a high level manager's office that we couldn't get to
without the manager so it had to be bad - we never had to go get the IDs.
The domain admins were DA's of every domain and also Enterprise Admins.
Our delegation model worked very well. We wrote scripts to do most of the
delegation right off so it was done consistently. We were very tight on what we
allowed, the more flexibility you allow the harder the overall environment is
too manage. Many of the things a lot of folks say they need they don't really
need, it is just bells and whistles and things to make them feel cool.
All user modifications went through an inhouse built provisioning system, the
DA's and 3-4 user admins had native access to users and that was it. The user
admins tended to do everything through the provisioning system anyway, they
didn't use their delegated IDs.
Delegated rights were
1. Ability to join pre-created machine accounts for servers
2. Ability to modify description of servers
3. Ability to create and join machine accounts for workstations
4. Ability to modify membership and description of groups
Anything not delegated to local admins or that couldn't be done through the user
provisioning tool was a ticket sent to our support queue as a request. We would
verify the requests and then send the request into a script that did the work.
Overall the environment was one of the smoothest running AD environments I have
seen or heard about.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Gera wrote: > Ok, this amount of information is not bad either. > Especially the part that "MS isn't about to lay out the details as well." > ;-) > Most of these recomendations will be used anyway. > > By the way, _back to the topic_: from your 4 years of enterprise > environment, > was there some problems with Delegation of permissions? > Or you could assure that it possible to delegate any task in any scenario > (having a root-child forest) ? > > -- > Gera > > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:u$Z9uTZ%23EHA.3708@TK2MSFTNGP14.phx.gbl... > >>Heh. I have been playing with AD in a huge enterprise environment (I >>deployed it to a Fortune 5 company and operated it for ~4 years) for a >>long time. 4 years of Windows AD in an enterprise is like 20 years in a >>smaller company. :o) Prior to that I have ~4 years of Enterprise NT >>experience. >> >>Once you have admin on a single DC, yes, you use normal supported >>processes to compromise the rest of the forest. You don't have to do >>anything fancy. You only have to be fancy if you have NO local logon >>access or system file access to DCs. At that point depending on the type >>of access (network only or physical) you have different possible vectors. >>A properly secured and patched DC should be fairly safe if the only access >>is network only with no local logon or system file access to a DC and >>passwords are intelligent and the network is secured (i.e. not anyone can >>just plug in and see traffic to and from a DC). >> >>Other than that, I won't get any more specific. MS isn't about to lay out >>the details as well. Not sure if any other folks with the understanding >>are really willing to publish either as we all have AD environments and >>would rather not tell people specifically how to compromise them. :o) >> >> joe >> >> >>-- >>Joe Richards Microsoft MVP Windows Server Directory Services >>www.joeware.net >> >> >>Gera wrote: >> >>>Well, Joe, looking at your site, I can tell that I really do not >>>"understand >>>how AD works" like you, >>>though I am holding an MCSE/2000 ;-) >>> >>>Ok, I fully agree that a domain isn't a security boundary, but could you >>>at >>>least tell, >>>if this escalation done using official tools or in some another way, >>>manipulating SIDhistory and a like. >>>Could you write me personally at gera@lukrecija.lt, because I searched >>>this >>>queston on MS site and on the Internet with no luck. >>> >>>Thanks in advance, > > >
- Next message: Emma: "AD/DNS and Novell"
- Previous message: aJd: "RE: time server help!!!"
- In reply to: Gera: "Re: What is easier: to delegate or to use ACLs?"
- Next in thread: Gera: "Re: What is easier: to delegate or to use ACLs?"
- Reply: Gera: "Re: What is easier: to delegate or to use ACLs?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
