Any sufficiently advanced technology is indistinguishable from magic.
- Authur C. Clarke
Magic: an illusory feat; considered magical by naive observers
- Princeton.edu WordNet 2.0
Magic: adj. 1. As yet unexplained, or too complicated to explain; compare
{automagically} and (Arthur C.) Clarke's Third Law: "Any sufficiently
advanced technology is indistinguishable from magic."
- worldwideschool.org Library
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 10:04 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
so as I said, there's not much damage one could do to the forest, except
thru "magic". if you have mutliple domains all fairly independent of each
other and admin in child domain B screws it royally, that really won't have
affect on Admin and his users in domain A.
and by independent, all my users from domain A only access rsources and apps
in domain A. No group nesting or uni groups.
so aside from exchange and the gal, we are all seperate entites in the same
forest.
so the only way to screw things up that is forest wide, a child domain admin
would have to use this sid history hack, a hack so obscure, you call it
magic...
so, i guess multipile admins in many domains can't do so much damage after
all?
-----Original Message-----
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:37 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
If I recall correctly, a domain admin in a child domain can use the SID
history function gain access to the parent domain. Once he has access to
the parent domain, he can then add himself to the enterprise admins group.
The part about "Use the SID history functionto gain access" is somewhat of a
mystery to me. (Almost like magic) However, I do believe it ispassible.
Your damage is limited to the child domain unless you use the SID history
feature (i.e. magic) to hack into the parent domain.
Denny
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 9:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
1. what do you mean by "an admin in any domain has the power of being an
Entrprise admin"? i, being a domain admin of a child domain, do not have the
power to put myself into the Enterprise admins group. A domain or enterprise
admin in the root domain would have to do that for me.
Also, as a domain admin in a child domain, i'm kinda limited to the damage i
could do to the forest, no?I mean, i could screw up my domain royally, but i
can't really do anything to screw up the forest( and completly hosing my
domain would only cause replication errors generated in event logs and some
repointing of exchange servers to different GC's). i can't modify the schema
or install an app that does it for me. i can't link a wrong headed GPO to a
site or create one on the root or any other domain. i can't create a site or
subnet.
And if a crashed and burned all my DC's wouldn't AD remove them permantely
after 60 days?
I'm sorry to belabour the point here and waste your time, but i really want
to make a good case for our IT dept to have enterprise admin access and show
why multiple seperate domain admins for multiple domains is not a good idea.
as well as further my knowldge of what can and can't be done and what can
and can't be screwed up.
i'd like to convince everyone that playing nice is in our best interest.
thanks, and again, i apologize for rehashing old posts.
-----Original Message-----
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
Wow this is like d�j� vu, I swear we went through this whole thought process
a month or two ago on here....
The quick summary (no I will not spout the whole thing, it should be in the
archives) of what I recall
1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger to the
entire forest.
2. You can not do DR testing with just a child domain.
3. Either your corp IT has to be involved with your DR testing or you should
redesign into multiple forests.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc question
My apologies if this seems basic and/or silly.
Aside from creating new domains or modifying the schema, why would an admin
need access to the root dc of a forest(the schema, domain namming master)?
furthermore, why would an admin in a child domain need enterprise admin
privilges?
I only ask because we had issues with our test DR run wherein we didn't have
access to the root domain and/or a test root domain vmware'd on a laptop and
it ended miserably.
i am in the process of convincing the higher ups in my corp of letting our
IT dept have enterpise admin access.
i'd like to make a case for us as to why we would need this accont with
concrete examples(aside from the DR one). ones that a semi tech aware CIO
could relate to.
What other compelling reasons would one need these rights for in day to
day(or not so day to day) AD administration?
we are a multi-domain(14) win2k forest in mixed mode with exchange2k in
native mode.
Thank you in advance for any assitance.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
