Re: dcpromo without domain admin rights
- From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Thu, 17 Aug 2006 16:40:14 +0200
working with domain controllers requires highly trusted admins!
as long as their are not domain admins, it can be delegated to add new
domain controllers to a domain. after the machine is a DC they will no
longer have permissions to logon locally and that is where it ends for them.
However, as long as the server is a non-DC those admins will be able to
install everything on the server they want to (including malicious code or
whatever). After that they are still able to promote the server to a DC. If
the server contains malicious code and a domain admins logs on, its
credentials might be compromised! Think about it, before just doing it!
taken from "Best Practices for Delegating Active Directory Administration
Appendices.doc"
Create a replica (additional Domain Controller)
User must be member of Administrators group on member server being
promoted
User Right ?Enable computer and user accounts to be trusted for
delegation?
Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration,
DC=<foestRootDomain>
Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration,
DC=<foestRootDomain>
CC on OU=Domain Controllers,DC=<domain> to create Computer objects
Full Control on the Computer object for the server that is being
promoted
Full Control to ?Creator Owner? on CN=<Site>, CN=Sites,
CN=Configuration, DC=<foestRootDomain>
Extended Right DS-Install=Replica on DC=<domain>
Extended Right DS-Replication-Get-Changes on DC=<domain>
Extended Right DS-Replication-Get-Changes on CN=Configuration,
DC=<forestRootDomain>
Extended Right DS-Replication-Get-Changes on CN=Schema,
CN=Configuration, DC=<forestRootDomain>
Extended Right DS-Replication-Get-Changes-All on DC=<domain>
Extended Right DS-Replication-Get-Changes-All on CN=Configuration,
DC=<forestRootDomain>
Extended Right DS-Replication-Get-Changes-All on CN=Schema,
CN=Configuration, DC=<forestRootDomain>
Extended Right DS-Replication-Manage-Topology on DC=<domain>
Extended Right DS-Replication-Manage-Topology on CN=Configuration,
DC=<forestRootDomain>
Extended Right DS-Replication-Manage-Topology on CN=Schema,
CN=Configuration, DC=<forestRootDomain>
Extended Right DS-Replication-Monitor-Topology on DC=<domain>
Extended Right DS-Replication-Monitor-Topology on CN=Configuration,
DC=<forestRootDomain>
Extended Right DS-Replication-Monitor-Topology on CN=Schema,
CN=Configuration, DC=<forestRootDomain>
Extended Right DS-Replication-Synchronize on DC=<domain>
Extended Right DS-Replication-Synchronize on CN=Configuration,
DC=<forestRootDomain>
Extended Right DS-Replication-Synchronize on CN=Schema,
CN=Configuration, DC=<forestRootDomain>
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%236G1wS7uGHA.1772@xxxxxxxxxxxxxxxxxxxxxxx
This is a Domain Admin responsibility. You are playing with fire, I
wouldn't even consider doing this. You could end up getting it to
work -sort of- and not know of failures that occured. Some creation that
the Microsoft developers didn't take into account, so it never let you
know. Six months down the line craxy things start happening and you
attribute it to anything but the dcpromo.
I highly suggest you not consider doing this in any type of production
environment.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"fb" <f.blaesen@xxxxxxxxxxxxx> wrote in message
news:%23dCRUY5uGHA.1436@xxxxxxxxxxxxxxxxxxxxxxx
I am trying dcpromo for a windows 2003 member server in a 2003 domain for
an user without domain admin rights. I found some tips on the net, but
finally it doesn't work.
I tried this:
- I created a security group called "JCNS_Admins". Then I created an user
calles "jcns_admin" and added it to the group "JCNS_Admins"
- Then I installed Windows 2003 on the computer, named it "jcnsdc01" and
put it into the active directory ou called "jcns". This ou is managed by
the group "JCNS_Admins". The flag "trust for delegation" is set for this
computer account.
- The default domain controller policy is modified to grant the rights
"enable computer and users accounts to be trusted for delegation" and
"add workstations to domain" to the group "JCNS_Admins" followed by
gpupdate and checking on the domain controller for correct settings.
- I modified some active directory acl settings based on information in
active_directory newsgroups
CN=System,DC=rootdomain,dc=com
This object only - Read, Create Child Objects
Trusted Domain Objects - Full Control
CN=Configuration,DC=rootdomain,dc=com
This object Only - Read all properties, read
permissions, manage replication topology, replicating
directory changes, replication synchronisation
CN=Schema,CN=Configuration,DC=rootdomain,DC=com
This object only - Read, Manage Replication
Topology,Replicating Directory changes, Replication
Synchronisation
CN=<appropriate site>,CN=sites,CN=configuration,DC=rootdomain,dc=com
This object and All Child Objects - Read, Creat all
child objects
Server Objects - Full Control
- At last I ran dcpromo on "jcnsdc01" using the account "jcns_admin".
dcpromo failed with error message:
The operation failed because:
Active Directory could not create the NTDS Settings object for this
domain controller
CN=NTDS
Settings,CN=JCNSDC01,CN=Servers,CN=JCNS,CN=Sites,CN=Configuration,DC=iffw2k,DC=kfa-juelich,dc=de
on the remote domain controller jcnsdc02.iffw2k.kfa-juelich.de
Ensure the provided network credentials have sufficient permissions.
- When I look at the configuration container with ADSIEdit, I can see an
entry for
CN=jcnsdc01,CN_Servers,CN=Sites,CN=Configuration,DC=iffw2k,DC=kfa-juelich,DC=de.
The group "JCNS_Admins" has full control (acl). I can't understand, why
dcpromo is unable to create the entry for "NTDS Settings".
- By the way, I tried dcpromo on jcnsdc01 with a domain admin account
and it works fine. Then I demoted it. With ldp.exe I checked for some
rrests of jcdnsdc01, but jcnsdc01 was completely removed.
What's wrong? Any help would be appreciated.
Franz
.
- Follow-Ups:
- Re: dcpromo without domain admin rights
- From: Paul Bergson
- Re: dcpromo without domain admin rights
- References:
- dcpromo without domain admin rights
- From: fb
- Re: dcpromo without domain admin rights
- From: Paul Bergson
- dcpromo without domain admin rights
- Prev by Date: Re: Adding the DOMAIN1\Domain Admins group to DOMAIN2\Domain Admins group
- Next by Date: Re: Workstation only sees 1 network share
- Previous by thread: Re: dcpromo without domain admin rights
- Next by thread: Re: dcpromo without domain admin rights
- Index(es):
Relevant Pages
|
