how would one force an escallation of privilges? is this just taking advantage of a security hole in AD? or is this standard ability? a backdoor to prevent a lockout, like the ability to change a domain admin pw if you're physically at the machine with a linux boot disk? and if its a flaw, why hasn't it been fixed by MS?
-----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 9:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question You'd be very, very wrong. Through *standard* practices, you're correct. However, you have sufficient rights to force an escallation of privileges and insert your account into the Enterprise Admins group.... -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Kern, Tom [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 13, 2004 9:16 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] A root dc question > > 1. what do you mean by "an admin in any domain has the power > of being an Entrprise admin"? i, being a domain admin of a > child domain, do not have the power to put myself into the > Enterprise admins group. A domain or enterprise admin in the > root domain would have to do that for me. > > Also, as a domain admin in a child domain, i'm kinda limited > to the damage i could do to the forest, no?I mean, i could > screw up my domain royally, but i can't really do anything to > screw up the forest( and completly hosing my domain would > only cause replication errors generated in event logs and > some repointing of exchange servers to different GC's). i > can't modify the schema or install an app that does it for > me. i can't link a wrong headed GPO to a site or create one > on the root or any other domain. i can't create a site or subnet. > And if a crashed and burned all my DC's wouldn't AD remove > them permantely after 60 days? > > I'm sorry to belabour the point here and waste your time, but > i really want to make a good case for our IT dept to have > enterprise admin access and show why multiple seperate domain > admins for multiple domains is not a good idea. as well as > further my knowldge of what can and can't be done and what > can and can't be screwed up. > i'd like to convince everyone that playing nice is in our > best interest. > thanks, and again, i apologize for rehashing old posts. > > -----Original Message----- > From: joe [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 13, 2004 8:34 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] A root dc question > > > Wow this is like déjà vu, I swear we went through this whole > thought process > a month or two ago on here.... > > The quick summary (no I will not spout the whole thing, it > should be in the > archives) of what I recall > > 1. An admin in any domain has the power of being an Enterprise Admin, > domains ARE NOT security boundaries. Each child domain should not have > different admins because that can result in chaos and > possible danger to the > entire forest. > > 2. You can not do DR testing with just a child domain. > > 3. Either your corp IT has to be involved with your DR > testing or you should > redesign into multiple forests. > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Wednesday, May 12, 2004 4:37 PM > To: ActiveDir (E-mail) > Subject: [ActiveDir] A root dc question > > My apologies if this seems basic and/or silly. > > > Aside from creating new domains or modifying the schema, why > would an admin > need access to the root dc of a forest(the schema, domain > namming master)? > furthermore, why would an admin in a child domain need > enterprise admin > privilges? > > I only ask because we had issues with our test DR run wherein > we didn't have > access to the root domain and/or a test root domain vmware'd > on a laptop and > it ended miserably. > i am in the process of convincing the higher ups in my corp > of letting our > IT dept have enterpise admin access. > i'd like to make a case for us as to why we would need this > accont with > concrete examples(aside from the DR one). ones that a semi > tech aware CIO > could relate to. > What other compelling reasons would one need these rights for > in day to > day(or not so day to day) AD administration? > > we are a multi-domain(14) win2k forest in mixed mode with > exchange2k in > native mode. > > Thank you in advance for any assitance. > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
