: Re: [ActiveDir] Domain
Controller Security
I agree, thanks joe, for your efforts !
Your answers always widensmy thinking horizons,
I am not into ADS extensively, like you all experts,but have ambition
to become one.
I have to go long way, and I am here to learn.
joe How
exactly are you
] wrote:
As lucid, eloquent and logical as ever, joe.
Dan
From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, September 23, 2005 9:59 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security
That is fine, I have no problem
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, September 23, 2005 3:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security
Yep it is very hit and miss. Sort of the same with MCS and PSS folks and
honestly any
:
[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Thursday, September 22, 2005 1:28 PM
To: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] Domain Controller Security
Even as a domain admin of a Child domain they will still be able to munge your forest or elevate their priviledges. The security
publish the issue.
joe
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of DeStefano, DanSent: Thursday, September 22, 2005 2:09 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller Security
I thought that in ad domains are considered security boundaries
:
[EMAIL PROTECTED]] On Behalf Of DeStefano, DanSent: Thursday, September 22, 2005 2:09 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller Security
I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered
2:09 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller Security
I thought that in ad domains are considered security boundaries. In the cert exams, namely the 70-219, they are considered as such. Also, how would a domain admin of a child domain elevate his privileges
d feel like. Knowing after the fact
that I was poked is moot in my book, too little too late.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh
ParmarSent: Friday, September 23, 2005 7:12 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain
Contr
Here is my idea, Fred
Open up ADUC and click View / Advanced Features. Right click
on that one OU where he should only be allowed to change the passwords of the
users and choose Properties. Click Security tab, click Advanced button. Scroll
down to highlight OU. Click it and choose
Excuse my ignorance, but what is a TAM?
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Friday, September 23, 2005
5:46 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain
Controller Security
Andknowing it, I can
, 2005 11:26 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain
Controller Security
Excuse my ignorance,
but what is a TAM?
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of ASBSent: Friday, September 23, 2005 5:46
AMTo:
ActiveDir
:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan
Sent: Friday, September 23, 2005
12:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security
Excuse my ignorance, but what is a TAM?
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Systems
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano,
DanSent: Friday, September 23, 2005 12:26 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain
Controller Security
Excuse my ignorance,
but what is a TAM?
Dan
From:
[EMAIL PROTECTED] [mailto
@mail.activedir.org
*Subject:* RE: [ActiveDir] Domain Controller Security
Excuse my ignorance, but what is a TAM?
Dan
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *ASB
*Sent:* Friday, September 23, 2005 5:46
/SCNASent: Friday, September 23, 2005 12:20
PMTo: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Domain Controller Security
I believe that is your Technical Account Manager, from
Microsoft. If you have a support contract with them, they will assign a
TAM that will give you access
Thank you for the info
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Friday, September 23, 2005
12:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security
That is the acronym for a
Microsoft
)
|
| Subject: Re: [ActiveDir] Domain Controller Security
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Controller Security
Us in SBSland have newsgroups and MVPs.
don't have a TAM either
Brian Desmond wrote:
*Technical Account Manager. When you spend ample money with MS, you
get one of these. I think a PSS contract is enough
, I don't know, but I will try to find out.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cace, Andrew
Sent: Friday, September 23, 2005 6:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security
We have a great TAM
PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
RE: [ActiveDir] Domain Controller
Security
Yes, untrusted admin + DC logon access = no more security.
If you're trying to lock him down, then you can't give him access to the
DC. Can
Look through the archives.
The short answer is... "Just don't do it". You can't
possibly secure this regardless of what anyone says. If someone says it can be
made safe, stop asking them technical questions about Domain Controllers and
Active Directory.
Either you trust the person or you
Thanks all for your replies. Joe: I got you loud and clear
and agree.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Thursday, September 22, 2005 10:10 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain
Controller Security
Look through
@mail.activedir.org
cc
Subject
RE: [ActiveDir] Domain Controller Security
Yes, untrusted admin + DC logon access = no more security.If you're trying to lock him down, then you can't give him access to the
DC. Can you give him a member server for the file shares and justdelegate the password
, if there is only oneserver in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guild<[EMAIL PROTECTED]>ct: RE: [ActiveDir] Domain Controller Security
22, 2005
8:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security
The only thing to do is to make him an admin of that site, or better
yet make that site a child domain and make him a domain admin of that child
domain. I know from experience that using
way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
The short answer is... Just don't do it. You can't
From: [EMAIL PROTECTED] on behalf of Gideon Ashcraft
Sent: Thu 9/22/2005 8:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security
The only thing to do is to make him an admin of that site, or better yet make
that site a child domain and make
Of Phil Renouf
Sent: Thursday, September 22, 2005
1:28 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain
Controller Security
Even as a domain admin of a Child domain they will
still be able to munge your forest or elevate their priviledges. The security
boundary in AD
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano,
DanSent: Thursday, September 22, 2005 12:09 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain
Controller Security
I thought that in ad
domains are considered security boundaries. In the cert exams, namely
Oh, and as for how, easy, but I won't tell
here...
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano,
DanSent: Thursday, September 22, 2005 12:09 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain
Controller Security
I thought that in ad
domains
, 2005 2:09 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain
Controller Security
I thought that in ad
domains are considered security boundaries. In the cert exams, namely the
70-219, they are considered as such. Also, how would a domain admin of a child
domain elevate his
a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree)
Gideon Ashcraft
Network Admin
Screen Actors Guildct: RE: [ActiveDir] Domain Controller Security
Look through the archives.
The short answer is... Just don't do
PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Thursday, September 22, 2005
12:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain
Controller Security
When Windows 2000 first came out the domain was thought of as the
security boundary and Microsoft even
Controller Security
Oh, and as for how, easy, but I won't tell
here...
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano,
DanSent: Thursday, September 22, 2005 12:09 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain
Controller Security
I thought that in ad
(mind if it wraps)
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan
Sent: Thursday, September 22, 2005
12:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security
I thought that in ad
domains are considered security
I am not asking for exact procedures, just
more of methods how.
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike
Sent: Thursday, September 22, 2005
2:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security
@mail.activedir.org
Subject: RE: [ActiveDir] Domain Controller Security
Most of the answers to Fred's business need deal with the security issue of
the domain: valid, certainly, but if the contractor really has a need to
access files shares, how would he do it? Seems this DC is the sole site
Cool, thanks for the info
excellent as usual, joe.
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, September 22, 2005
2:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security
The docs are wrong
is screwed up
when something gets screwed up when that is in place.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Thursday, September 22, 2005 3:37
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]
Domain Controller Security
Most of the answer
what is the main security device in AD? What "features"
does it have?
nuff said
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of DeStefano,
DanSent: Thursday, September 22, 2005 2:22 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain
Controller Se
don't have a problem with that. :o)
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
KirkpatrickSent: Thursday, September 22, 2005 4:15 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain
Controller Security
See, for instance, the demo Guido did in th
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain
Controller Security
Most of the answers to
Freds business need deal with the security issue of the domain: valid,
certainly, but if the contractor really has a need to access files
shares, how would he do it? Seems this DC is the sole
Security
I am not asking for
exact procedures, just more of methods how.
Dan
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Hutchins,
MikeSent: Thursday, September
22, 2005 2:37 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller
Security
Oh
1) Restricting his login to that particular DC
I would suggest, creating a group policy in which you add that user idin allow logon locally and allow logon through terminal services user rights.
And making sure that this Policy applies to that DC only, by security filtering on group policy.
NOTE:
Fred-
This is not possible. While you can make it more difficult
for the user to do things you don't want him to, if you give him either physical
access to the DC or the ability to log on to the DC, he is in a position to
elevate his permissions to the point of owning your forest.
If you
By the way, I found the link for giving a user right to manage shares, on a machine, without giving him additional administrative rights.
http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/409105.aspx
I don't know, I would like to give him rights to manage shares on DC, as he might easily
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Wednesday, September 21, 2005 4:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Controller Security
That sounds dangerous.
If you give him access to that server, particularly local logon
access, you might as well just put
Yeah, I love/hate that guy
From: joe [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Thu, 27 May 2004 19:22:10 -0400
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Controller Security...
Nope but it doesn't matter. If they can install a service (or replace a file
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-Original Message-
From: Chris Lynch [mailto:[EMAIL PROTECTED]
Sent: Friday, May 21, 2004 5:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Controller Security
-
From: Chris Lynch [mailto:[EMAIL PROTECTED]
Sent: Friday, May 21, 2004 5:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Controller Security...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I know. I agree that this isn't good security practice. I wouldn't
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Roger Seielstad
Sent: Friday, May 21, 2004 10:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Controller Security...
True... I musta read half the question (again
I like Joe Richard's option - DCPromo it out, let the tech work on it, and
DCPromo it back in
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-Original Message-
From: Chris Lynch [mailto:[EMAIL
PROTECTED] On Behalf Of
Roger Seielstad
Sent: Friday, May 21, 2004 10:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Controller Security...
True... I musta read half the question (again).
--
Roger D. Seielstad - MTS
]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger
Seielstad
Sent: Friday, May 21, 2004 10:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Controller Security...
True... I musta read half the question (again).
--
Roger D
: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger
Seielstad
Sent: Friday, May 21, 2004 10:19 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Controller Security...
True... I musta read half the question (again
]
Subject: RE: [ActiveDir] Domain Controller Security...
If memory serves me correctly Server Operators is going to put them under
the umbrella of AdminSDHolder so you'll need to consider what delegation has
been done on them. They'll be un-delegated (so to speak) next time SDProp
kicks.
I would like
, May 21, 2004 5:42 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Domain Controller Security...
Hey, ~Eric said what I said, he just said it nicer and in more words.
The first doesn't surprise me, the second, immensely so.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
57 matches
Mail list logo