I also tend to use a prefix for admin accounts, however you can debate if this really makes sense. It's definitely user-friendly as the user only has to remember one account and then one pre- or postfix when he wants to use the admin-version of this account. And you shouldn't believe that the users will use different passwords...
However, this approach also shows which account you ought to attack if you want to gain higher privileges... This is one of the reasons, why in addition to creating separte OUs for the admin accounts, I hide these special OUs in AD so that the normal Authenticated User can't browse or query for all accounts with a special prefix - naturally, the OU is configured to be visible to the Admins themselves, but even here we make a differentiation who can see which admins (viewing the OU with the domain admin accounts is more restricted than viewing OUs with OU admin accounts) /Guido -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Dienstag, 6. Januar 2004 16:16 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Wierd issue with security descriptor reverting on replication WE use 3 character prefixes ourselves, but the same basic result. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: Tuesday, January 06, 2004 8:23 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Wierd issue with security descriptor > reverting on replication > > > I agree with Guido. In fact any ID that has any delegated > rights in our AD > gets it on an ID called a $-ID. It is their normal userid > prefixed with a $. > That way they all sort to the top when sorted and it is > really obvious when > they are being used. I have been using $ ID's (and $$ ID's > for domain admins > - to indicate even more power that isn't delegated) for about > 7 years now, > it works fine though I have run into people who say it > doesn't for some odd > reason. I think they just feel uncomfortable with the special > character in > the name. > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > GRILLENMEIER,GUIDO > (HP-Germany,ex1) > Sent: Tuesday, January 06, 2004 6:50 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Wierd issue with security descriptor > reverting on > replication > > yes, the adminSDholder is good for these kind of surprises, > but the main > reason it exists is that you don't accidentally grand a "downlevel" > group/user enough permissions to reset the PW on a highly priviledged > account - thus compromising security. > > You should definitely go with the "separate admin account" > model - this is > not just for enterprise or domain admins protected by the > adminSDholder, but > also for lower level OU or data admins, which could otherwise > be compromised > as well by a simple helpdesk user who is allowed to reset PW > at the specific > OU level containing your "lower level" admins... > > Rgd. your name in the from field when sending eMail: this is > less up to you, > than your Exchange Admins (unless you are the same guy). > Seems like your > Exchange folks have configured your SMTP GW servers to remove the > Display-Name and only to reveal the eMail address instead. I actually > preferr it this way, instead of showing a somewhat obscure > Display Name > (meant for internal handling of accounts) to the outside > world, like we do > it... > > /Guido > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Sent: Dienstag, 6. Januar 2004 08:13 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Wierd issue with security descriptor > reverting on > replication > > That looks like it might be the culprit. I need to do a > little bit more > checking and see if there are any exceptions, but this seems > like the most > logical explanation and so far it has born out. > > I think we can fix this as the admins are SUPPOSED to be using special > accounts for admin work and most of our applications that > require special > permissions shouldn't run on these users. > > Now, if I could figure out how to make my name show up in the > from field > when mailing to the list from Outlook, I'd be all set :) > > Thanks! > > Joe K. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Monday, January 05, 2004 11:43 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Wierd issue with security descriptor > reverting on > replication > > Joe it sounds like you are being bitten by adminSDHolder. > Poke around for it > (archives for here and the newsgroups and MSKB) you will find > considerable > info on it now. > > Basically there is a process that goes through and protects > certain accounts > (usually admin type accounts like Ent Admins, Dom Admins, > Admins, Acc Ops, > Serv Ops, etc) by removing the inherit flag and setting the > ACL to the ACL > of the adminSDHolder object in the system container. Once you > "clean up" > an > ID you should see it reset in about 5-10 minutes. > > Check to see if you have the admincount attribute populated > on these ID's, > that is the flag for the process. Any groups that the users > are in that have > that flag set will force the user to get that flag set as well. > > joe > > > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise private information. > If you have > received it in error, please notify the sender immediately > and delete the > original. Any other use of the email by you is prohibited. > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
