Hi Jorge, WAAOOU ! Endeed i was not aware that print operators group was able to log on to my DCs and do task as reboot !!!!!! And yes,my DCs are also prints servers..... maybe it's not good for security... but it's hard to convince my direction to buy a server ONLY for printers purposes.....
So i'd better review the best security practices as you suggested rather than "playing" with the adminsdhlder.. Thanks for your feedback. ;-) Regards, Yann Cordialement, Yann TIROA Centre de Ressources Informatique. Campus Scientifique de la DOUA. B�t. Gabriel Lippmann - 2 �me �tage - salle 238. 43, Bd du 11 Novembre 1918. 69622 Villeurbanne Cedex. -----Message d'origine----- De : Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Envoy� : dimanche 22 mai 2005 15:18 � : TIROA YANN; '[EMAIL PROTECTED] '; '[email protected] ' Objet : RE: [ActiveDir] Adminsdholder Propertiy Qustion... Hi, Have you seen "Delegated permissions are not available and inheritance is automatically disabled" (http://support.microsoft.com/?id=817433) This article describes how you can configure which default protected groups are protected or not by the adminsdholder object. Although possible I do not recommend it as there is more like I mention below. You are using the group "print operators" to manage printers, so this means your DCs are also print servers. Is this correct? Are you aware that the admin that manages the OU and its child objects (has Full Control) can log on to your DCs? That admin can change the password of the user that is a member of the print operators. After that he can use that user's credentials to log on to a DC. Why? By default print operators have ability to logon to DCs and do some stuff like shutting down the DC and load and unload device drivers (install printer drivers and others) I'm not sure if you already do it, but I recommend to distinguish between normal user accounts (to read mail, create documents, etc.) and admin accounts (to do all kinds of admin stuff). In my opinion each admin should logon to their workstation using their normal user account and do admin tasks using the RUNAS option. It is better however to have a separate workstation (or TS or Citrix) (protected like other servers) to do admin tasks. Using his normal workstation the admin user sets up a terminal session using RDP or ICA to the ADMIN workstation and does this things Cheers, #JORGE# -----Original Message----- From: [EMAIL PROTECTED] To: [email protected] Sent: 5/22/2005 2:39 PM Subject: [ActiveDir] Adminsdholder Propertiy Qustion... Hello ;-) I had a strange issue yesterday. An administrator who has full control(ct) of his OU and the child objects, was not able to modify a user account properties or password. The security option of the user object shows that the admin was not on the user object acl: the inheritance case that allows the parents to apply to this object ...was disabled !! After searching on the net, i have found that the adminsdholder was responsible for that. Endeed, user was member of print operators and thus is protected by adminsdholder throw his membershhip of this protected group. So i enabled the inheritance on the security option of the adminsdholder attribute, wait for less than 1 hour that PDCemulator "do his job", and checked that user object has the inheritance case activated: that's was OK and delegated admin was enjoyed ! :-) BUT, for my personnal interest, i think disabling the inheritance of the adminsdholder in not a good option d�e to security pruposes. So in this case, how can I just enabling inheritance of only this user acl without enabling it on the whole adminsdholder so the OU's admin have full ct on the user object. I also would like the user to continue to be member of the print operators. Thanks for your expert advices :o) NB: do not bother about my poor english writing and be indulgent 8-) Regards, Yann List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
