Re: sbs user permissions
- From: <param@xxxxxxxxxxxxxxxx>
- Date: Mon, 25 Jul 2005 15:55:28 -0500
Can I set deny permissions to change permissions on my account?
TIA
"Matt Gibson" <mattg@xxxxxxxxxxxxxxx> wrote in message
news:eaVS2%23SkFHA.3316@xxxxxxxxxxxxxxxxxxxxxxx
> She'll need Domain Admin privileges to do all the tasks you want her to.
> You cannot set her permissions to Deny on just your account, because as an
> Admin, she can just change them back. An Administrator on a DC is
> basically the same as a Domain Admin.
>
> Matt Gibson - GSEC
>
> <param@xxxxxxxxxxxxxxxx> wrote in message
> news:ezGRONSkFHA.3580@xxxxxxxxxxxxxxxxxxxxxxx
>> Charles, thanks for the reply. I am not understanding your statement on
>> security holes. That is precisely the reason why I do not want to give
>> her permission on mine and my boss's mailbox & AD account. What would
>> happen if I set deny permissions on my account to for just her user
>> account?
>>
>> Also, why would she need Domain Admin privileges? Why not just
>> Administrators privileges?
>>
>> TIA!
>>
>> ""Charles Yang [MSFT]"" <v-chayan@xxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:d%23qJ1UMkFHA.3120@xxxxxxxxxxxxxxxxxxxxxxxx
>>> Hi,
>>>
>>> Welcome to our SBS newsgroup.
>>>
>>> I am sorry for the delayed response due to weekend. Please understand
>>> that
>>> the newsgroups are staffed weekdays by Microsoft Support professionals
>>> to
>>> answer your systems and applications questions. Your understanding is
>>> greatly appreciated!
>>>
>>> Issue description:
>>>
>>> I understand that you want to customize one SBS user's permission to
>>> give
>>> her some special permission.
>>>
>>> Analyzing and suggestions:
>>>
>>> By default, we can use delegate control to give user special permission,
>>> after checking your requirement, it might be difficult to delegate such
>>> kinds of permission to a special user. As the permission you required
>>> for
>>> that user is a full Domain Admin permission, by default if you applied
>>> this
>>> kinds of permission to that user, the user will have the right to change
>>> the password of any users.
>>>
>>> We can not set limitation to only allow user to change part of users'
>>> permission in special group. So it might be impossible to achieve your
>>> goal. As this might be a security hole, if such user can be created, the
>>> hacker can use this kinds of user to change the password of other admin'
>>> password then they can use it to steal the password of you and your
>>> boss.
>>>
>>> However you can refer to the steps below to see the permission we can
>>> delegate to SBS users.
>>>
>>> 1. Navigate to ADUC on server management, navigate to the OU that the
>>> user
>>> exist.
>>> 2. Right click the OU, choose delegate control.
>>> 3. Follow the wizard to delegate the permission to the special user.
>>>
>>> You can refer to the article below to see which kinds of permission, you
>>> can delegate to the users:
>>>
>>> Delegate control Wizard on SBS 2003 server:
>>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
>>> activedirectory/stepbystep/ctrlwiz.mspx
>>>
>>> I appreciate your understanding, if you have any further concerns;
>>> please
>>> feel free to let me know. I will be here waiting for your updates.
>>>
>>>
>>>
>>> Best regards,
>>>
>>> Charles Yang (MSFT)
>>>
>>> Microsoft CSS Online Newsgroup Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>>
>>> ======================================================
>>> This newsgroup only focuses on SBS technical issues. If you have issues
>>> regarding other Microsoft products, you'd better post in the
>>> corresponding
>>> newsgroups so that they can be resolved in an efficient and timely
>>> manner.
>>> You can locate the newsgroup here:
>>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>>
>>> When opening a new thread via the web interface, we recommend you check
>>> the
>>> "Notify me of replies" box to receive e-mail notifications when there
>>> are
>>> any updates in your thread. When responding to posts via your
>>> newsreader,
>>> please "Reply to Group" so that others may learn and benefit from your
>>> issue.
>>>
>>> Microsoft engineers can only focus on one issue per thread. Although we
>>> provide other information for your reference, we recommend you post
>>> different incidents in different threads to keep the thread clean. In
>>> doing
>>> so, it will ensure your issues are resolved in a timely manner.
>>>
>>> For urgent issues, you may want to contact Microsoft CSS directly.
>>> Please
>>> check http://support.microsoft.com for regional support phone numbers.
>>>
>>> Any input or comments in this thread are highly appreciated.
>>> ======================================================
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> =====================================================
>>> When responding to posts, please "Reply to Group" via your newsreader so
>>> that others may learn and benefit from your issue.
>>> =====================================================
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>
>>
>
>
.
- Follow-Ups:
- Re: sbs user permissions
- From: Matt Gibson
- Re: sbs user permissions
- References:
- sbs user permissions
- From: param
- RE: sbs user permissions
- From: "Charles Yang [MSFT]"
- Re: sbs user permissions
- From: param
- Re: sbs user permissions
- From: Matt Gibson
- sbs user permissions
- Prev by Date: Event 1000 - activation.exe while adding licenses to SBS 2003
- Next by Date: Re: sbs user permissions
- Previous by thread: Re: sbs user permissions
- Next by thread: Re: sbs user permissions
- Index(es):
Relevant Pages
|
