And, yep - that's what my research today showed as well. Netlogon, LSASS - not much difference when you can't block the process from writing when you need to....
Ah, well.... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Monday, July 21, 2003 9:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Installation Priviledges only on a DC "You can be logical and still be wrong, Seielstad" - Mr. Howard, my 10th grade Chemistry teacher, still rings through my head some days. It is LSASS, which of course *is* NetLogon. According to process explorer, at least. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Monday, July 21, 2003 9:24 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Installation Priviledges only on a DC > > > Yep - makes sense. But, I'll have to test this, as I'm not sure on > that Roger. I've done lots of delegation for our Remote sites, and I > don't recall anything other than the user being associated with a > process through ADU&C. Guess I'll have to bust out the Winternals > tools and have a look.... > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > Seielstad > Sent: Monday, July 21, 2003 6:01 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Installation Priviledges only on a DC > > Probably won't work. > > The deny is on the file system, but it all depends what's really > writing to that file system now, doesn't it? For instance, when you > make a change via ADU&C, I'd expect that you're interacting with a > service (LSASS or NetLogon, most likely) on the DC. That service is > what's actually writing to the directory, so the deny isn't > applicable. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > > Sent: Saturday, July 19, 2003 10:31 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Installation Priviledges only on a DC > > > > > > Then, given the end goal, (thinking here...might be a flaw) why not > > deny that same group permissions to the %SystemRoot%\NTDS > directory? > > If the issue is AD and then mucking with the AD files themselves on > > the DC, just deny them. Unless I'm mistaken (and given > that I've just > > gotten up... It's > > possible) the deny should override other permissions. > > > > (Now, Joe - what am I missing...?? ;0) ) > > > > Rick Kingslan MCSE, MCSA, MCT > > Microsoft MVP - Active Directory > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh > > Sent: Friday, July 18, 2003 11:43 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Installation Priviledges only on a DC > > > > The only hole is that it still affords them rights to make > screw ups > > to the actual .dit file... > > > > -m > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of John Moran > > Sent: Friday, July 18, 2003 3:00 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Installation Priviledges only on a DC > > > > A quick down and dirty way to solve it would be to create an admin > > account for each person like ADMIN_username, then put them > in a group, > > put the group in domain admins, and then place an explicit > deny all at > > the root of the domain for the new group and let it trickle down > > through inheritance. Watch who has rights to the group or > you could > > wind up letting someone lock you out. > > > > This will give them local administrative rights to the dc's without > > let them muck up AD. > > > > They still can do damage through RUN AS and some other > exploits, but > > they would really have to go out of their way and if you > mistrust them > > that much they should not touch a dc at all. > > > > Let me know if that works > > > > -John > > --- "Bond, Simon" <[EMAIL PROTECTED]> wrote: > > > Basically my boss wants to give the server team the ability > > to install > > > updates and patches, etc on domain controllers but not give them > > > domain admins permissions. Is this possible? My gut feeling is no. > > > -----Original Message----- > > > From: Marcus Oh [mailto:[EMAIL PROTECTED] > > > Sent: 18 July 2003 02:38 > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Installation Priviledges only on a DC > > > > > > > > > Eh? You want to allow someone else to "change" AD in some > > way? BAD! > > > BAD! > > > :-) What's the proposition??? > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Bond, Simon > > > Sent: Thursday, July 17, 2003 10:15 AM > > > To: '[EMAIL PROTECTED]' > > > Subject: [ActiveDir] Installation Priviledges only on a DC > > > > > > Is there a way to create a user who can log onto a DC and install > > > software on it but not be a domain admin? To me logically > you would > > > have to be since a piece of software you might be > > installing may need > > > to alter AD in some way. However, this is what I have been > > asked to do > > > so I was hoping someone may be able to tell me one way or another. > > > > > > Cheers > > > > > > Simon > > > > > > > > > This e-mail and all attachments are confidential and may be > > > privileged. If you have received this e-mail in error, notify the > > > sender immediately. Do not use, disseminate, store or copy > > it in any > > > way. > > > Statements or opinions in > > > this e-mail or any attachment are those of the author and are not > > > necessarily agreed or authorised by News International > > (NI). NI Group > > > may monitor emails sent or received for operational or business > > > reasons as permitted by law. NI Group accepts no liability > > for viruses > > > introduced by this e-mail or attachments. You should employ virus > > > checking software. News International Limited, 1 Virginia > > St, London > > > E98 1XY, is the holding company for the News International > > group and > > > is registered in England No 81701 > > > > > > > > > This e-mail and all attachments are confidential and may be > > > privileged. If you have received this e-mail in error, notify the > > > sender immediately. Do not use, disseminate, store or copy > > it in any > > > way. Statements or opinions in this e-mail or any > > attachment are those > > > of the author and are not necessarily agreed or > authorised by News > > > International (NI). NI Group may monitor emails sent or > > received for > > > operational or business reasons as permitted by law. NI > > Group accepts > > > no liability for viruses introduced by this e-mail or > > attachments. You > > > should employ virus checking software. News International > > Limited, 1 > > > Virginia St, London > > > E98 1XY, is the holding company for the News International > > group and > > > is registered in England No 81701 > > > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > SBC Yahoo! DSL - Now only $29.95 per month! > > http://sbc.yahoo.com > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
