RE: [ActiveDir] OT: Computer Account in Local Administrators Group

Gil Kirkpatrick Tue, 11 Jul 2006 17:15:39 -0700

Set the resolution to 4096x6720, and... ahh, there it is. NOW the whole ego fits on the screen.

-gil

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, July 11, 2006 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group

Almost always????

;o)

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe
Sent: Friday, July 07, 2006 9:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group

I see the flaws in my original statement, and should have worded it differently.

My interpretation of "Network Service" functionality is different from joe's. But joe is smarter than me, has some cool tools that give him much more authoritative information on these kind of things, and he is almost always correct. So, please listen to him.

If I have the time, I may come back and try to explain my interpretation.

Sincerely,
   _____
(, / | /)               /)     /)
    /---| (/_ ______   ___// _   // _
) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/                             /)
                               (/
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon

From: joe
Sent: Thu 7/6/2006 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group

A service running on ServerA as localsystem or networkservice will touch remote machines including ServerB with the security context of DOMAIN\ServerA, not networkservice.

A service running on ServerA in localservice should touch remote machines as anonymous.

At no point will configuring permission on ServerB to networkservice give any rights to ServerA, only processes running on the local machine (ServerB)) as networkservice.

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe
Sent: Thursday, July 06, 2006 12:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group

I see...

If the service runs as LocalSystem, then it already has the highest privilege possible on that system. In this case, the vendor (or the vendor's support rep) may be asking for this simply for the "interact" portion of your statement. Without knowing what the app does, it's hard to tell. But, I'd ask the vendor's rep specifically what level of access is needed to perform whatever the app is supposed to perform on the "other machine".

Because, you see, if the app runs in the context of LocalSystem on ServerA and needs to do something on ServerB, the Network Service credentials will be used. If whatever is running on ServerB allows "Network Service" account to do the job, then there is no additional config or privilege to add on ServerA. Ask the vendor if "Network Service" has the ability to successfully "interact" with the other machine in question, or if the access can be configured to accommodate the "Network Service" account.

From: [EMAIL PROTECTED]
Sent: Thu 7/6/2006 8:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: Computer Account in Local Administrators Group

I’m definitely not wanting to do this – but a vendor was saying to do it to allow one of their services to run as Local System and be able to interact with another machine.

I am very skeptical, and not allowing it.

Thanks,

James

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]om
Sent: Wednesday, July 05, 2006 5:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group

More directly - WHY are you looking to do this? What problem are you trying to solve?

Sincerely,
   _____
(, / | /)               /)     /)
    /---| (/_ ______   ___// _   // _
) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/                             /)
                               (/
Microsoft MVP - Directory Services
http://www.readymaids.com/ - we know IT
http://www.akomolafe.com/
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon

From: joe
Sent: Wed 7/5/2006 9:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group

Ultimately, anyone with physical access to the remote PC will have Admin

rights over the PC in which you add the account to the admins group for.

Directly, anyone who can run anything as localsystem or networkservice will

have those rights.

--

O'Reilly Active Directory Third Edition -

http://www.joeware.net/win/ad3e.htm

-----Original Message-----

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of

[EMAIL PROTECTED]om

Sent: Wednesday, July 05, 2006 12:05 PM

To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] OT: Computer Account in Local Administrators Group

What is the net effect of placing a remote computer account

(\\domain\computer_name) in the Local Administrators group?

Thanks,

James

List info   : http://www.activedir.org/List.aspx

List FAQ    : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx

List FAQ    : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] OT: Computer Account in Local Administrators Group

Reply via email to