Re: domain local backup operators and server operators groups question
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sat, 04 Feb 2006 15:03:14 -0500
Those two groups aren't really local groups, they are built-in groups. They are special in that the SID of the groups does not have domain affinity. What I mean by that is that the SID does not have the Domain SID in the group SID. So for instance, backup ops SID on ALL Windows NT and better machines around the world is
S-1-5-32-551
Where a normal domain local group will have a SID with the domain SID in it for instance
The SID for account JOE is S-1-5-21-1862701446-4008382571-2198042679
The SID for account JOE\dlg1 is S-1-5-21-1862701446-4008382571-2198042679-21169
Without domain affinity, any object can only have relevance to security on the machines that share the same SAM. So that narrows it down to domain controllers sharing builtin groups across all DCs of a domain and non-DCs not sharing those builtin groups with ANY other machines.
So for the answers to your questions which should be obvious now
1. No Backup Ops from a domain can only work with DCs. This has been this way forever with NT and above.
2. Srv Ops only have rights on domain controllers. And again this has been the same forever with NT and above.
Your last question is answered by the above as well when you think about the scope of the SID of the groups as I described.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
djc wrote:
1) I have always assumed that membership in the 'domain local' Backup.
Operators group meant you could perform backups on any computer in the
domain. I have recently come accross information that states that members of
this group can perform backups ONLY on domain controllers. Which is correct?
And was there a change from 2k to 2k3?
2) Similarly, I have always assumed that the 'domain local' Server Operators
group had the server operator related user rights on ALL servers in the
domain and I have recently come accrose information that states that the
members of this group have these rights ONLY on domain controllers. Which is
correct? and was there a change from 2k to 2k3?
answers to 1 and 2 above would be greatly appreciated but in addition to
this the bigger question that this raises to me is this:
When speaking of 'domain local' group 'scope' for buitlin groups that exist
for 'roles' more or less (meaning they have a particular set of user rights
assigned to them to accomplish certian tasks like performing backups'), is
it true that these rights are ALWAYS only on domain controllers and not all
servers or computers in the domain? Obviously I'm trying to find a simple
rule to just remember.
any input is appreciated. Thanks.
- Follow-Ups:
- References:
- Prev by Date: Re: bad cn for a user. how to fix?
- Next by Date: Re: LDAP question
- Previous by thread: Re: domain local backup operators and server operators groups question
- Next by thread: Re: domain local backup operators and server operators groups question
- Index(es):
Relevant Pages
|
