Re: Any tool to let me narrow down and assing granular permissions

from ad prespective, each user "by default" can query that information, to
allow reset of pw we need to delegate the task to that user or group wich
the user is memberof.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
"Mr. Magoo" <MrMagoo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:455F9E9C-80D3-4A65-B961-E6CD56606948@xxxxxxxxxxxxxxxx
let me explain:
In my case a certain SSL VPN appliance need to run a service account with
special AD permissions to perform reset of any user passwords in the
domain,
discover which groups users are members of, etc.

"Jorge Silva" wrote:

Hi
To install software you generally need local admin permission, to run the
software itself you should only need a normal user account.
If that account can't run the software after installed, you could run
filemon and regmon from sysinternals and check where the access is being
denied, than change the permissions on these specific objects.
Note: logon with that account and run the sysinternals tools with the
runas
feature with an local admin account.
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
"Mr. Magoo" <MrMagoo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:587D8AEA-F4FA-48C4-BD4E-7176E6D637EC@xxxxxxxxxxxxxxxx
A vendor of a certain PoorProduct has requested domain admin credentials
account to let his application run in our environment.

Instead, I want to create a service account and grant specific rights
such
account requires. I need to find out which minimum permissions such
account
need in order to accomplish the task.

Other than going permission by permission in the "Security" tab, is
there
any recent tool out there which could let me perform the transaction
using
the certainaccount, fail, analyze the type of permission required and
then
apply those using the security tab in AD users & computers?





.

Relevant Pages

  • Re: Admin members and passwords
    ... If you can't trust your admins, ... Go to your user account in AD Users and Computers and in your account ... >> ways or remove the deny permission if you do need to reset it. ...
    (microsoft.public.win2000.security)
  • Re: Any tool to let me narrow down and assing granular permissions
    ... MCSE, MVP Directory Services ... "Jorge Silva" wrote: ... In my case a certain SSL VPN appliance need to run a service account ... To install software you generally need local admin permission, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Membership in Admin groups resets Send As permissions - Blackberrys broken for administrator
    ... permission. ... one possible 'best practice' is to remove my 'normal' account ... are non operational with administrator accounts. ... The adminSDHolder object is a template for accounts that have broad ...
    (microsoft.public.exchange.admin)
  • RE: OWA Exchange 2007 - Client Access
    ... Do you access the "room" mailbox or the problematic user's mailbox itself ... when the user keeps getting prompted for logon credencials. ... Add User A account to the list. ... Highlight User A account and assign the Send As and Receive As permission ...
    (microsoft.public.exchange.connectivity)
  • RE: OWA Exchange 2007 - Client Access
    ... Add User A account to the list. ... Highlight User A account and assign the Send As and Receive As permission ... If a user account is a member of one of these administrative groups because ... 2.Please capture the screenshot of OWA logon when the user keeps getting ...
    (microsoft.public.exchange.connectivity)