Ah let's turn it around and say people ask what kinds of things they do that DON'T involve changes that they think requires admin access. Also are we specifically targeting things that people think they need domain admin for or some level of delegation for? I'm not against doing delegation, much. I am against giving domain admin.
The thing is admin work is generally two things. Someone complains something isn't working so you find out what (if anything) is wrong and correct - generally it is just someone not knowing how to use the system or not understanding how things work and you just have to gather data to figure it out and then attempt to educate. Add this that or the other object (Server, group, userid) or remove this or that - i.e. new implementation or decommission. These are things that should be automated into provisioning tools that do not require admin rights in a gui on workstation or server. If something is truly wrong from the first category you do all the troubleshooting work (or better yet some other lower level admin does the troubleshooting work) and then you know exactly what you need to change, you quickly pop in with an admin ID and change it and get back out. Don't research with an Admin ID unless it is required. Too much chance of going, oh shit, what did I just do. Quick things that I can think of that I get asked to do or that I do on my own are usually troubleshooting like should this account be able to logon, is this computer object active, what is the authentication path this machine should be following and is the path broken in any way, is this account locked out and if so where are the bad password attempts coming from, does this or that WINS record exist, how come I can't resolve this that or the other thing, etc. Who is in this or that group? Does this that or the other thing exist in AD, has it replicated, is replication working, how long is it taking to get changes around, etc. How come so and so can't change the description on this or that computer? 1. Should this account be able to logon. Use getuserinfo to pull the userid info. Are all of the fields correct? Is the ID locked? Expired? If so, send the user to the self help system for unlocking. If expired, their manager didn't renew them, manager needs to go into provisioning system. 2. Is this computer object active... User getuserinfo, adfind, secdata... Etc. 3. What is the authentication path and is it working... Need to know how your environment works, what kind of client is it, what path is followed, start chasing the path making sure everything is in place starting with client config which you ask the local workstation admin for. Once you have that verify WINS entries (if needed) via netsh (we have WINS records available to Authenticated Users for query). Verify DNS (NSLOOKUP - anyone can do). Verify account isn't locked or expired. Hit DCs that might be used with an ADFIND query or a NET USE \\ipaddress\ipc$ (BONUS POINTS FOR ANYONE WHO TELLS ME WHY YOU SHOULD USE IP ADDRESS). 4. Is account locked out? Unlock, getuserinfo. If so I have a perl script that will run through all DCs in a domain dumping secdata data for each DC for the user showing where the bad password attempts are occurring for a DC. If I need more than that then I have to dump the security log (dumpel) which does require admin currently (but doesn't have to if you implement something doing log scraping for you) but then I scan with a perl script. This isn't something we do much of anymore... We haven't done one for weeks or possibly months... I was just commenting to one of my coworkers about it. When people get locked out they usually aren't paying attention. They don't even start to come to us unless they get locked out over and over again and we have gotten local site support groups and the worst offenders to start paying attention so that doesn't happen or if it does, local site asks enough questions to get the user to remember what they did. If someone is locked out of their account and it keep slocking over and over we really don't consider it that important. We have 250,000 IDs, you locked yourself out, you shouldn't have done that - you get to wait until we get to you. The more often we see your name, the longer that takes each consecutive time. People catch on. We shouldn't remember anyone's name with 250,000 userids... We started to for a bit... 5. Does this or that WINS record exist... Again netsh wins with the WINS read access opened up. If you don't want to open to everyone, open to your normal non-admin IDs as you can't hurt it with read access. I also gave a web page that a user will type in their WINS primary and secondary and the resource they are trying to find and it will look up the records on their behalf. 6. How come I can't resolve... This is usually a client issue so you ask for the settings and you know if they are right or not off the top of your head because you know the architecture. If they are right you look in WINS and/or DNS whichever is the proper spot and you look for the name yourself with NETSH or NSLOOKUP. 7. Who is in this or that group... Lg / adfind / net group / net localgroup / 2kgrps (vbscript of mine) 8. Does this that or the other thing exist in AD... ADFIND - most stuff can be seen by normal users, definitely things people are usually looking for. 9. Has it replicated? ADFIND pumped through a perl script I have called alldc which will run one command against all of the DCs in a given Domain... Say I want to know if my description is the same on all DCs of domain X Alldc domainx.com "adfind -h <server> -default -f name=joe description | grep -i description" 10. Is replication working? I have a perl script that uses iadstools.dll... Does not require admin rights to find all replication connections of all dcs and dump the errors. 11. How long to get changes around? Make some change to my account that I have access too by default... Say comment and then I have a perl script which will loop through the dcs watching for the change or you can check the whenchanged attribute on alldcs via a command like in 9. 12. How come so and so can't change something in the directory... Question support people get pertinent info, then adfind, dsacls, lg, etc to make sure the user should be able to with the alleged information. If it is all correct then requestion the user to find out where they are lying etc... 13. What site is this machine in? Nltest 14. What subnets does this site have? Adfind, dsinfo (Dave Trulli tool - go Dave) 15. How many machines at such and such a site are old? Adfind, secdata, oldcmp 16. How many users have no logon script? Adfind. 17. Give this user a logon script Go into the provisioning system 18. What machines in the domain aren't following the naming standards or OS standards? ADFIND/SECDATA scan against the directory to dump info; perl to parse the data 19. Jail the bad machines. Take the info gathered in 18 that may have taken an hour or two to get and spend 30 seconds as an admin running a jail script against the jail output text file. 20. What is a list of GCs for a site? Nslookup / adfind 21. Is so and so DC a GC? Adfind / repadmin (Yes repadmin will show you if a machine is a GC if you aren't an admin) Simple adds/updates can be done simply by provisioning systems that allow you to connect with your normal ID and then it does the work on your behalf (correctly and logged). You can also do this with say COM+ objects that run in the context of an admin ID on a server somewhere that you have had your normal IDs set up to be able call into with a script to do the work. Any Admin IDs that can't be reset with the normal self-help tool for instance we have a reset script that we run as normal users that calls out to a server that does the work for us and sends an email to the user to let them know what is happening. I need to reset an ID I simply type reset$ domain\$userid and off it goes. They get the email and I get a copy as well so I know they got it. MS has always tended to protect people from things by not allowing you to do things in the GUI unless you were an Admin. User Manager was horrible for that... You need to be an admin to look at the admin group for instance... TO LOOK AT IT! Command line tool and bam I am looking, no admin access. The exchange tools are bad like that as well. Just last night I did a good 6-8 hours of work troubleshooting an Exchange issue and not once did I go into an Admin ID context, it was all simply looking at the directory and pulling data and parsing it out. I could have done it from an admin ID but had no reason to. Could all Exchange issues be troubleshot that way? Nope, if I would have had to have gone into some of the sharply protected areas I would have had to have brought out an admin ID, but that doesn't happen a whole lot. Most of the stuff is in the main domain partition and is readily viewable by everyone. At most I may need Exchange view access which can be given to a normal ID or a medium level permission ID since it doesn't allow you to change anything. Deji worked with me for quite a while. He probably recalls people bitching about how they couldn't do their job with out admin rights and I told them tough, figure out how to do your job better (I was usually not that nice about it). People didn't get the rights, they figured out how to get the information themselves through channels that didn't require admin rights. It is tough for me to list things and I know the stuff above is nothing. I just do the things when I have to as I have been doing it so long I don't even think about it. Again systems that are running properly don't require a lot of changes other than new implementation or decommission. Those are things that should be wrapped into standard process and automated so they aren't manual admin work with the admin sitting in a gui with an admin ID. I tend to try and use web sites for this stuff. Currently I have 4 main levels of IDs. My normal every day joe-user ID which has no enhanced rights. A $ ID which has things like Exchange View rights so I can look at Exchange configurations or it has workstation admin rights or group membership modification rights server join rights, etc. A $$ Child Domain ID which is Domain Admin on Child Domains. A $$ Forest Root ID which is Domain/Enterprise Admin on the root. Almost all of my day is in the first joe-user ID. If I have to pull security logs (but NOT application, System, AD, FRS Logs) I jump into my $$ IDs quickly and back out. If I have to test group modification to show someone is on crack I jump into the $ ID or if I need to see something in the Config container for Exchange. If I need to add sites or subnets I get into my ent admin ID and run a quick script and get back out - not for long though, that is also going into the provisioning system. Anytime someone wants an ADMIN ID there is one reason, they think they need to change things. The first question should always be WHY? Changes shouldn't be haphazard and besides the specifically stated ones should be going on all of the time. Anything that is going on all of the time should be processed to death and not done with an admin ID but through some automated tool. Whether I work in a company with 50 users or 500,000 I will take the time to automate stuff. A lot of people complain they are too busy to automate things because they have so much to do already. Do it in small steps. Write a small script that does one small piece of it, then later add to it. Eventually you are saving time by the pieces you are automating it. You get to a certain level and you put it on a web page calling COM+ or something, now you give it to someone else to do or do from your regular ID. Ah that is enough. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Thursday, January 29, 2004 12:06 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory International Support Joe, I bet the list would be ever grateful if you compiled a list of common "administrative/support" tasks that can be accomplished via a non-admin account. :) And I'm curious, to perform these tasks, did you normally have to do something to grant your non-admin account some level of access or is it basically available by default? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
