Re: ADUC Question
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Thu, 24 Aug 2006 11:04:59 -0400
If you do a lot of admin in that site, I recommend using
runas /user:userid cmd
That way you get a command prompt that you can launch any tools you want as that security context.
If the domain or machine you are trying to get a session for isn't trusted (i.e. untrusted domain or a remote workstation/server local id) then use the /netonly switch. Keep in mind that the password isn't verified until you connect to remote resource after doing that so it is possible it will spawn the required local app but still have the wrong password and you won't know until you try to touch the remote machine.
To run ADUC from the command prompt, you type dsa.msc. I would go a step further and then use the property tab for the command prompt you open to change the color so you are aware that it is
A) an Administrator context window
B) to another domain
Also, you have basically just admitted to doing something very bad/stupid from a security standpoint. You are using a single ID to do your normal user stuff and your admin stuff. You should not log into workstations interactively as an admin with rights to a domain because anything that compromises your machine now has those rights as well. So for instance, say I send you an email that has some code buried in it to wipe our your domain in ways you can't even imagine, if you are logged into your machine with a domain admin ID your domain and probably forest are now toast. Ditto for web surfing.
Every admin should have at least 2 IDs. The first ID is their normal user ID which has a mailbox and is used for doing mail and websurfing, etc. Best case, that ID isn't even an admin on the local workstation but I realize that is difficult for some apps at the moment. But still no excuse, that should be the goal. The second ID is the ID with enhanced rights. This ID is used for logging interactively into servers (which should be occurring very often at all generally) and being used with runas to connect to remote machines to do admin work.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Pat Hall wrote:
Checked out runas. Nice tool. My problem now is how do I tell it the program I want to run is ADUC. It doesn't recognize ADUC or several other versions of the program I've tried to use. Anyone know what the secret is?.
"Pat Hall" wrote:
I'm not familiar with the runas command. I'll go see what Google has on it.
Thanks
"Richard Oltmann" wrote:
Have you tried using the runas command ?
"Pat Hall" <PatHall@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:AEECB7C3-4B1D-4882-A349-3A110A96BED3@xxxxxxxxxxxxxxxxI need to do maintenance to AD objectds using ADUC that are in another
domain. I've been told I have to sign in to that domain with a different ID.
Is there a way to do this other than logging off my PC and logging on with
an ID in the other domain? I lloked thru ADUC and didn't see anything.
- References:
- Re: ADUC Question
- From: Richard Oltmann
- Re: ADUC Question
- Prev by Date: Access Denied when installing Published App
- Next by Date: Re: Authoritative AD restore
- Previous by thread: Re: ADUC Question
- Next by thread: Migration from eDirectory
- Index(es):
Relevant Pages
|
