And, Joe emoted: > Well I guess you could but your system would > probably become extremely secure and you would > never have to worry about anyone including > yourself modifying it ever again.
Cool. Then once I have it configured and working, it shouldn't ever break. Change control becomes a thing of the past, and all good things.... But, then, so does expandability, but that's such a small negative given the overall secure nature of the mod. Reliability and security - what more could one want? ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Monday, July 21, 2003 6:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC It is true that ADUC runs in the context of the user who spawed the process. However the way it operates is that it connects to a service and requests a change, that service is sponsored by LSASS so indeed runs as localsystem. Obviously you can't remove the rights to the DIT for LSASS.... Well I guess you could but your system would probably become extremely secure and you would never have to worry about anyone including yourself modifying it ever again. The angle I thought you were going towards was the idea of someone modifying the DIT in a raw manner versus through the standard API. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, July 21, 2003 9:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Yep - makes sense. But, I'll have to test this, as I'm not sure on that Roger. I've done lots of delegation for our Remote sites, and I don't recall anything other than the user being associated with a process through ADU&C. Guess I'll have to bust out the Winternals tools and have a look.... Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Monday, July 21, 2003 6:01 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Installation Priviledges only on a DC Probably won't work. The deny is on the file system, but it all depends what's really writing to that file system now, doesn't it? For instance, when you make a change via ADU&C, I'd expect that you're interacting with a service (LSASS or NetLogon, most likely) on the DC. That service is what's actually writing to the directory, so the deny isn't applicable. Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Saturday, July 19, 2003 10:31 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Installation Priviledges only on a DC > > > Then, given the end goal, (thinking here...might be a flaw) why not > deny that same group permissions to the %SystemRoot%\NTDS directory? > If the issue is AD and then mucking with the AD files themselves on > the DC, just deny them. Unless I'm mistaken (and given that I've just > gotten up... It's > possible) the deny should override other permissions. > > (Now, Joe - what am I missing...?? ;0) ) > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh > Sent: Friday, July 18, 2003 11:43 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Installation Priviledges only on a DC > > The only hole is that it still affords them rights to make screw ups > to the actual .dit file... > > -m > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Moran > Sent: Friday, July 18, 2003 3:00 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Installation Priviledges only on a DC > > A quick down and dirty way to solve it would be to create an admin > account for each person like ADMIN_username, then put them in a group, > put the group in domain admins, and then place an explicit deny all at > the root of the domain for the new group and let it trickle down > through inheritance. Watch who has rights to the group or you could > wind up letting someone lock you out. > > This will give them local administrative rights to the dc's without > let them muck up AD. > > They still can do damage through RUN AS and some other exploits, but > they would really have to go out of their way and if you mistrust them > that much they should not touch a dc at all. > > Let me know if that works > > -John > --- "Bond, Simon" <[EMAIL PROTECTED]> wrote: > > Basically my boss wants to give the server team the ability > to install > > updates and patches, etc on domain controllers but not give them > > domain admins permissions. Is this possible? My gut feeling is no. > > -----Original Message----- > > From: Marcus Oh [mailto:[EMAIL PROTECTED] > > Sent: 18 July 2003 02:38 > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Installation Priviledges only on a DC > > > > > > Eh? You want to allow someone else to "change" AD in some > way? BAD! > > BAD! > > :-) What's the proposition??? > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Bond, Simon > > Sent: Thursday, July 17, 2003 10:15 AM > > To: '[EMAIL PROTECTED]' > > Subject: [ActiveDir] Installation Priviledges only on a DC > > > > Is there a way to create a user who can log onto a DC and install > > software on it but not be a domain admin? To me logically you would > > have to be since a piece of software you might be > installing may need > > to alter AD in some way. However, this is what I have been > asked to do > > so I was hoping someone may be able to tell me one way or another. > > > > Cheers > > > > Simon > > > > > > This e-mail and all attachments are confidential and may be > > privileged. If you have received this e-mail in error, notify the > > sender immediately. Do not use, disseminate, store or copy > it in any > > way. > > Statements or opinions in > > this e-mail or any attachment are those of the author and are not > > necessarily agreed or authorised by News International > (NI). NI Group > > may monitor emails sent or received for operational or business > > reasons as permitted by law. NI Group accepts no liability > for viruses > > introduced by this e-mail or attachments. You should employ virus > > checking software. News International Limited, 1 Virginia > St, London > > E98 1XY, is the holding company for the News International > group and > > is registered in England No 81701 > > > > > > This e-mail and all attachments are confidential and may be > > privileged. If you have received this e-mail in error, notify the > > sender immediately. Do not use, disseminate, store or copy > it in any > > way. Statements or opinions in this e-mail or any > attachment are those > > of the author and are not necessarily agreed or authorised by News > > International (NI). NI Group may monitor emails sent or > received for > > operational or business reasons as permitted by law. NI > Group accepts > > no liability for viruses introduced by this e-mail or > attachments. You > > should employ virus checking software. News International > Limited, 1 > > Virginia St, London > > E98 1XY, is the holding company for the News International > group and > > is registered in England No 81701 > > > > > > > __________________________________ > Do you Yahoo!? > SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
