If you just remember the principle "put users in group, assign permission to group", then you'll remember that neither JohnDoe nor Administrator should show up anywhere in your ACL enumeration Rather, you ACL will look something like this:
Computername\AdministratorS - F
System - F
etc, etc.
You will NOT need to add the following to the ACL:
ComputerName\Administrator (notice the missing "S")
Domain Admins
Domain\Administrator
Why? First, because by adding Computername\AdministratorS in the first example, you have essentially taken care of the three in second example. "Domain\Administrator" is a member of "Domain Admins", which is a member of Computername\AdministratorS. Likewise, "ComputerName\Administrator" is a member of "Computername\AdministratorS".
Then your fear about your users knowing the name of your Domain Admin account becomes non-existent (although this should have been of no concern in the first place). If anyone looks at the permission on an object, they won't see those 3 listed.
Now, as to how your ACL "may" be messed up by an account rename. You need to remember that an account's name is not THE significant part when ACE/ACL are concerned. It's the account's SID, and this does NOT change, even after you've renamed an account. Your permissions will still persist through a rename.
As to the problem you encountered after renaming a DA, I can only speculate that there was "something else" causing that. I ALWAYS rename my DAs. Been doing it for a while now without running into similar problem.
Are you convinced yet?
Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Rocky Habeeb
Sent: Thu 7/22/2004 8:18 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account
Rob, We set permissions on our Users PCs according to Trusted Systems Services Windows NT Security Guidelines developed for the NSA in 1999. We run in a moderate to severe lockdown. We open up NTFS permissions only as much as is needed for Users to operate. As such, any User can open up Windows Explorer and click Security and look at the Security NTFS permission structure of any file and folder on their PC. Maybe they can adjust it, maybe not. It depends on how we set it. If we rename the Domain Admin account to "JohnDoe" and then create a bogus account called "Administrator", obviously, when we go set permissions on a system, we are not going to select the "Administrator" account when we actually need the Domain Admin to have Full Control to that object. And I'm not going to select "JohnDoe" and grant him Full Control as that pretty much tells people where the Domain Admin account is. So what do you do? I need DAs to have FC. What do I select? How do I keep the User from immediately seeing where the DA account is. As far as testing it, forget it. Ten years ago, I renamed the DA account on a Windows NT 4.0 domain. I could not get back in. I had to rebuild the domain, albeit a small one of less than 100 Users, from scratch, and I swore I would never do it again. Now convince me to do it. RH ____________________________________________________________
