You just prove that you are very confused about "membership"? Tony, Robbie,
Guido, Gil, Roger, and Joe???? That's an expensive club. Can't afford the
"membership" fee. Next thing I know, you'd be lumping me in with Dean :-P
Seriously, let's back up a bit. Let's ask why you'd want to give permission
to "Domain\Administrator" (the user), instead of "Domain\Domain Admins" (the
group). Before you answer that, remember the basic principle "put users in
group, give permission to group".
You want to keep users from viewing membership in AD? Where are they viewing
the membership from? In the "Local Users and Groups"? From the ACEs on files
and folders? I ask because, if you have added ONLY groups instead of Users,
the name of the users are not viewable in those places.
Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Rocky Habeeb
Sent: Thu 7/22/2004 10:32 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account
Deji,
You know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and
of course joe, and all the other heavyweights), but, we're not confused on
the accounts and their memberships. I just feel it's important to have the
Domain Admin (the individual) as Full Control on everything. As such, its
pointless to rename him because he can be seen.
However, you might just convince me to try it if you will tell me how to keep
Users from viewing membership in AD of the Microsoft native groups, like
Domain Administrators. ;-)
That might be enough for me to try it.
RH
_________________________________
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Deji Akomolafe
Sent: Thursday, July 22, 2004 12:10 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account
If you just remember the principle "put users in group, assign
permission to group", then you'll remember that neither JohnDoe nor
Administrator should show up anywhere in your ACL enumeration Rather, you ACL
will look something like this:
Computername\AdministratorS - F
System - F
etc, etc.
You will NOT need to add the following to the ACL:
ComputerName\Administrator (notice the missing "S")
Domain Admins
Domain\Administrator
Why? First, because by adding Computername\AdministratorS in the
first example, you have essentially taken care of the three in second
example. "Domain\Administrator" is a member of "Domain Admins", which is a
member of Computername\AdministratorS. Likewise, "ComputerName\Administrator"
is a member of "Computername\AdministratorS".
Then your fear about your users knowing the name of your Domain Admin
account becomes non-existent (although this should have been of no concern in
the first place). If anyone looks at the permission on an object, they won't
see those 3 listed.
Now, as to how your ACL "may" be messed up by an account rename. You
need to remember that an account's name is not THE significant part when
ACE/ACL are concerned. It's the account's SID, and this does NOT change, even
after you've renamed an account. Your permissions will still persist through
a rename.
As to the problem you encountered after renaming a DA, I can only
speculate that there was "something else" causing that. I ALWAYS rename my
DAs. Been doing it for a while now without running into similar problem.
Are you convinced yet?
Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: Rocky Habeeb
Sent: Thu 7/22/2004 8:18 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account
Rob,
We set permissions on our Users PCs according to Trusted Systems
Services
Windows NT Security Guidelines developed for the NSA in 1999. We run
in a
moderate to severe lockdown. We open up NTFS permissions only as
much as is
needed for Users to operate. As such, any User can open up Windows
Explorer
and click Security and look at the Security NTFS permission structure
of any
file and folder on their PC. Maybe they can adjust it, maybe not.
It
depends on how we set it.
If we rename the Domain Admin account to "JohnDoe" and then create a
bogus
account called "Administrator", obviously, when we go set permissions
on a
system, we are not going to select the "Administrator" account when
we
actually need the Domain Admin to have Full Control to that object.
And I'm
not going to select "JohnDoe" and grant him Full Control as that
pretty much
tells people where the Domain Admin account is. So what do you do?
I need DAs to have FC. What do I select? How do I keep the User
from
immediately seeing where the DA account is. As far as testing it,
forget
it. Ten years ago, I renamed the DA account on a Windows NT 4.0
domain. I
could not get back in. I had to rebuild the domain, albeit a small
one of
less than 100 Users, from scratch, and I swore I would never do it
again.
Now convince me to do it.
RH
____________________________________________________________
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
