Okay, First off, yes the club's expensive. And rightly so, but, do you know what joe wanted to come to my little shop and point out to me exactly what I already know (which is "exactly how much I don't know already.")? "Now >HE< was expensive. Serves him right for getting fired. ;-O. No wait. He didn't get fired. Some of the |stupidest| people in the world (notice the absolute symbol) just let him walk! I'm telling you, that was about as smart as the Russians selling us Alaska for 7 million. I could not believe that. How smart do you have to be? Not as smart as joe, that much I know.
Now, let me show you how much I don't know. ( I can explain why that is someday, if it comes to that). When I click (on my W2K boxes in my mixed mode W2K domain) on My Network Places > Entire Network > Directory > DNSDomainName it opens up my AD and everybody can see all the OUs. If I click on my Microsoft_Groups (OU which houses the native groups) I see every group. If I click on Domain Admins, I see the members. The same with all the other groups. How do I hide the memberships of these native MS groups? Thanks Deji (and all youse other guys!) RH __________________________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account You just prove that you are very confused about "membership"? Tony, Robbie, Guido, Gil, Roger, and Joe???? That's an expensive club. Can't afford the "membership" fee. Next thing I know, you'd be lumping me in with Dean :-P Seriously, let's back up a bit. Let's ask why you'd want to give permission to "Domain\Administrator" (the user), instead of "Domain\Domain Admins" (the group). Before you answer that, remember the basic principle "put users in group, give permission to group". You want to keep users from viewing membership in AD? Where are they viewing the membership from? In the "Local Users and Groups"? From the ACEs on files and folders? I ask because, if you have added ONLY groups instead of Users, the name of the users are not viewable in those places. Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Thu 7/22/2004 10:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Deji, You know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and of course joe, and all the other heavyweights), but, we're not confused on the accounts and their memberships. I just feel it's important to have the Domain Admin (the individual) as Full Control on everything. As such, its pointless to rename him because he can be seen. However, you might just convince me to try it if you will tell me how to keep Users from viewing membership in AD of the Microsoft native groups, like Domain Administrators. ;-) That might be enough for me to try it. RH _________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Deji Akomolafe Sent: Thursday, July 22, 2004 12:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account If you just remember the principle "put users in group, assign permission to group", then you'll remember that neither JohnDoe nor Administrator should show up anywhere in your ACL enumeration Rather, you ACL will look something like this: Computername\AdministratorS - F System - F etc, etc. You will NOT need to add the following to the ACL: ComputerName\Administrator (notice the missing "S") Domain Admins Domain\Administrator Why? First, because by adding Computername\AdministratorS in the first example, you have essentially taken care of the three in second example. "Domain\Administrator" is a member of "Domain Admins", which is a member of Computername\AdministratorS. Likewise, "ComputerName\Administrator" is a member of "Computername\AdministratorS". Then your fear about your users knowing the name of your Domain Admin account becomes non-existent (although this should have been of no concern in the first place). If anyone looks at the permission on an object, they won't see those 3 listed. Now, as to how your ACL "may" be messed up by an account rename. You need to remember that an account's name is not THE significant part when ACE/ACL are concerned. It's the account's SID, and this does NOT change, even after you've renamed an account. Your permissions will still persist through a rename. As to the problem you encountered after renaming a DA, I can only speculate that there was "something else" causing that. I ALWAYS rename my DAs. Been doing it for a while now without running into similar problem. Are you convinced yet? Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: Rocky Habeeb Sent: Thu 7/22/2004 8:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Rob, We set permissions on our Users PCs according to Trusted Systems Services Windows NT Security Guidelines developed for the NSA in 1999. We run in a moderate to severe lockdown. We open up NTFS permissions only as much as is needed for Users to operate. As such, any User can open up Windows Explorer and click Security and look at the Security NTFS permission structure of any file and folder on their PC. Maybe they can adjust it, maybe not. It depends on how we set it. If we rename the Domain Admin account to "JohnDoe" and then create a bogus account called "Administrator", obviously, when we go set permissions on a system, we are not going to select the "Administrator" account when we actually need the Domain Admin to have Full Control to that object. And I'm not going to select "JohnDoe" and grant him Full Control as that pretty much tells people where the Domain Admin account is. So what do you do? I need DAs to have FC. What do I select? How do I keep the User from immediately seeing where the DA account is. As far as testing it, forget it. Ten years ago, I renamed the DA account on a Windows NT 4.0 domain. I could not get back in. I had to rebuild the domain, albeit a small one of less than 100 Users, from scratch, and I swore I would never do it again. Now convince me to do it. RH ____________________________________________________________ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
