Rob, We set permissions on our Users PCs according to Trusted Systems Services Windows NT Security Guidelines developed for the NSA in 1999. We run in a moderate to severe lockdown. We open up NTFS permissions only as much as is needed for Users to operate. As such, any User can open up Windows Explorer and click Security and look at the Security NTFS permission structure of any file and folder on their PC. Maybe they can adjust it, maybe not. It depends on how we set it.
If we rename the Domain Admin account to "JohnDoe" and then create a bogus account called "Administrator", obviously, when we go set permissions on a system, we are not going to select the "Administrator" account when we actually need the Domain Admin to have Full Control to that object. And I'm not going to select "JohnDoe" and grant him Full Control as that pretty much tells people where the Domain Admin account is. So what do you do? I need DAs to have FC. What do I select? How do I keep the User from immediately seeing where the DA account is. As far as testing it, forget it. Ten years ago, I renamed the DA account on a Windows NT 4.0 domain. I could not get back in. I had to rebuild the domain, albeit a small one of less than 100 Users, from scratch, and I swore I would never do it again. Now convince me to do it. RH ____________________________________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rutherford, Robert Sent: Thursday, July 22, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account 1) The easiest way to see would have been to test it - the answer is they would see the accounts and granted permissions. 2)I'm not sure what you mean? What is a standard? There isn't really one as it depends on the environment. A good rule is of course not to give everybody full control and not to use deny as it complicates things. If you want to be precise with what you want to achieve and I'm sure we could help. BR Rob -----Original Message----- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: 22 July 2004 15:25 To: [EMAIL PROTECTED] Subject: [ActiveDir] Renaming The Admin Account People, OK, I know you guys are the Experts and I know MS says, rename it, but tell me the answer to these questions please. Let's say you run NTFS permissions on your local PCs. Lets say your standards are (for EVERY FILE/FOLDER OBJECT ON THE PC): Full Control for Local Admin, Domain Admin and System. Modify for Everyone (At least where it is not a security risk). [1] What is displayed locally to the User (for Admin accounts) when they look at NTFS permissions on their file/folder objects? [2] What do you as the Admin select in the ACL, when you set new permissions for file/folder objects? Thanks RH ------------------------------------------------- Rocky Habeeb Microsoft Systems Administrator ------------------------------------------------- James W. Sewall Company Old Town, Maine ------------------------------------------------- 207.827.4456 habr @ jws.com www.jws.com ------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
