Re: "Domain Admins", user account and privileges
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Mon, 29 Jan 2007 10:59:43 -0600
<jwat@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:1170086696.304503.256560@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
This is a multi-part inquiry and hopefully all my questions get
answered.
1. Should a domain admin (user who is a member of the "domain admins"
group) also be a part of the "domain users" group?
Yes, and will be by default since practically all users of the domain
are inserted into that group automatically (unless special methods are
used to avoid this.)
a. If yes, how do I handle permissions for this user when
permissions for "domain users" are restricted?
Restricting permission are done with DENY, or by never granting
permissions at all -- and there are differences in the effect from an
owner or admin perspective.
Avoid DENY permissions in general, and especially on groups
applying to (almost) everybody, e.g., Everyone, Domain Users,
Users, Authenticated Users.
The trick to permissions is only to GIVE the permission necessary
and (almost) never use the DENY to try to take it away.
Remove references to Domain Users (etc), rather than trying to
deny on such groups.
Suppose I have
disabled on "write" access on a network shared folder. This user will
no longer have "write" access ...
Then GIVE permissions for READ (or some superset of READ) without
the write, rather than trying to deny it.
... to that folder because the most
restrictive policy applies.
Not true, but a common misunderstanding or misapplication of the "most
restrictive" to the WRONG place.
Most restrictive is only correct for when TWO ACCESS Methods are
involved, e.g., Share permissions and NTFS permission. User must have
"enough" at BOTH checks when coming through the network, this is where
the term most restrictive is properly applied.
Giving Read to Users, and FC to Admins in no way restricts the admins.
For one ACL (access control list), i.e., for one access method, the rule
is actually the opposite, the SUM of all permisssions for the user and the
users groups (as long as certain weird cases like DENY are not involved.)
2. This is a strange one: when the user is a member of "domain users"
he has the ability to add a local printer. When he is not a member of
"domain users" the add a local printer option is ghosted or grayed
out. This is due to GPO restrictions on the "Domain Users" group.
Interesting. Didn't know that but I have never seen anyone try to remove
Admins from Domain Users. (It's actually a bit tricky to do.) Don't do
that. <grin>
Any and all suggestions are welcome. Please clarify these issues for
me. Thank you.
Grant what you want them to have. And only what you want them to
have. Then you can always grant more through a different group.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Follow-Ups:
- Re: "Domain Admins", user account and privileges
- From: xjeffx
- Re: "Domain Admins", user account and privileges
- References:
- "Domain Admins", user account and privileges
- From: jwat
- "Domain Admins", user account and privileges
- Prev by Date: Re: unable to remove old trust
- Next by Date: Re: Acitive Directory un Win2000
- Previous by thread: "Domain Admins", user account and privileges
- Next by thread: Re: "Domain Admins", user account and privileges
- Index(es):
Relevant Pages
|
