Re: Account Operators accessing other account operators

Matt,

I can almost guarantee you that JoeR is N*O*T going to post the 'How to' on
this topic. Pretty much no one will.

Not trying to be rude, but this is the type of stuff that the 'script
kiddies - or, Jr. Sys Admins' get their hands on and then wreck havoc in
their environments. And then it comes out that an MVP posted this 'How to'.
That would not be a good thing.

There are a couple of seemingly good security books on Active Directory that
would probably give you hints along the way. I say 'seemingly' becuase I
have not read them. So, I do not really know for sure.

--
Cary W. Shultz
Roanoke, VA 24012

"Matt" <Matt@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4EAF1F29-3048-4363-98C3-8A6F6475D3EA@xxxxxxxxxxxxxxxx
Thanks for all the reponses. I will have a look at delegation when I get
a
chance. Yes our helpdesk users were account operators from our NT days
and
it seemed convenient. We have about five OUs at the top level and I was
hoping to avoid having to delegate permissions on each OU (tree) and the
subsequent job of managing and troubleshooting delegation.

I was interested in the comment "if the acc ops are bright enough, they
can
give themselves Domain and Enterprise Admin rights anyway. That is why you
want to use delegated accounts for AD data admins." How can they do this?
They do not appear to have access to their own accounts or anything above.
Obviously I do not want them to be able to do this (although I think that
I
am safe with our helpdesk) so am interested in how they can do it.

Thanks.



.

Relevant Pages

  • Re: Account Operators accessing other account operators
    ... Once you are done with that you should move to fully delegated accounts where the exact permissions needed are delegated. ... group and delegate the correct permissions on an OU that applies to the correct objects in that OU. ... the Microsoft Windows domain controller that has the primary domain controller emulator operations master role verifies the ACLs on members of these administrative groups and compares them to the ACL on the AdminSDHolder object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: one account - login to terminal services on several domains...
    ... which child-domain it may be in and allow them to manage accounts in any ... you should create a global group in the forest root e.g. "Forest ... and domain admins group and other sensitive security principals in the ... To differentiate these permissions from the "Forest Server-Admins" it would ...
    (microsoft.public.windows.server.active_directory)
  • Re: How does OU delegation work?
    ... A file system can contain two type of objects files and directories. ... When you delegate a group to have "Full Control" of computers objects, though, it doesn't imply that they will have admin rights on the actual computers those computer objects they represent, in the same way that delegating them "Full Control" of user accounts doesn't give them any extra right on the actual people (otherwise we would all be admins of the "hot blonds" OU right;) ). ... You can use a Restricted Groups setting in a GPO to achieve this or write a startup script that adds the account and link the GPO to the top level OU under which the departmental admins are kings. ...
    (microsoft.public.windows.group_policy)
  • Re: Permissions to join machine to domain
    ... I'm looking for just a list of ACL/ACE permissions to allow only joining to ... I want to delegate the following control to a group. ... Locked User Accounts: ... 294777 - How to Delegate Group Policy Control to users in Trusted Domain: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Importance of OU in Active directory
    ... admin group and he is also not a member of domain admins ... those PCs??? ... >You could either delegate lots of control, ... >>Say you have three offices in your company, Office1, ...
    (microsoft.public.win2000.active_directory)