Re: Administrator but not Domain Admin
- From: "RonK" <RonK@xxxxxxx>
- Date: Thu, 9 Jun 2005 22:16:21 -0400
Your working on the Domain Controller, not a Member Server! Where is this
App located?
Think about It!
RK
"Robert Trebor" <rtrebor@xxxxxxxxxxxx> wrote in message
news:%23LKogCWbFHA.3444@xxxxxxxxxxxxxxxxxxxxxxx
> Simple: he won't fix the old software otherwise; says he has some
> sort of tool that won't run from a user account on a workstation. We tried
> limiting him to a workstation but he just threw a fit. Meanwhile, the
> client
> needs the old software fixed-- now. I just added some explicit denys on
> the
> AD tools, which should help. I'd be happy to get it to the point of "he
> could elevate himself if he put his mind to it but probably can't be
> bothered and may not have the technical expertise." After he fixes the
> software, presumably we can remove all the access. I was just surprised
> that
> a machine admin could elevate himself to domain admin; that seems to be
> all
> wrong. The reverse I do understand; I can see that the Domain Admins group
> is actually found in Administrators, so all Domain Admins are
> Administrators. But machine to domain admin? Counter-intuitive if you ask
> me.
>
> "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
> wrote in message news:uZbga3VbFHA.4040@xxxxxxxxxxxxxxxxxxxxxxx
>> Why did this software vendor 'demand' Admin access and if he truly has
>> to have it.... I'd have him sign an imdenifiication agreement...he has
>> the keys to your kingdom.
>>
>> Robert Trebor wrote:
>> > I need to make a software vendor an administrator on a server
>> > running SBS 2003. He demanded this access and the client caved in, so
> I'm
>> > stuck. We don't want him to be a domain administrator if at all
> possible,
>> > though, so he can't see another, new server on the network running a
>> > competitor's software-- what's eventually going to replace his. Old
> Vendor's
>> > software hasn't been fully retired yet and needs immediate maintenance.
>> > Again, I'm stuck with the situation and have to make the best of it. I
>> > started with explicit denys on the other server and unnecessary shares
> on
>> > the SBS. I made Old Vendor an administrator, but I see that that gives
> him
>> > the ability to make himself a Domain Admin-- which would let him change
>> > permissions on the other server, among other things. What can I do to
>> > prevent Old Vendor from giving himself Domain Admin privileges while
> still
>> > allowing him to log on to the SBS? It doesn't have to be 100%
> bulletproof
>> > but I would like to give some reasonable assurance to the client that
> Old
>> > Vendor is limited to the SBS, where Old Software is installed.
>> >
>> >
>
>
.
- Follow-Ups:
- Re: Administrator but not Domain Admin
- From: Robert Trebor
- Re: Administrator but not Domain Admin
- References:
- Administrator but not Domain Admin
- From: Robert Trebor
- Re: Administrator but not Domain Admin
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: Administrator but not Domain Admin
- From: Robert Trebor
- Administrator but not Domain Admin
- Prev by Date: Re: OEM vs. Boxed SBS 2003
- Next by Date: Re: Administrator but not Domain Admin
- Previous by thread: Re: Administrator but not Domain Admin
- Next by thread: Re: Administrator but not Domain Admin
- Index(es):
Relevant Pages
|
