Yes, I do. But, his question had nothing to do with "Is it right or not?" I count on joe to totally over-react to such things!
:op But, just for the record, I don't condone in any way the overuse or the mismanagement of advanced privileges and rights for convenience in any way, shape or form. I, personally, prefer to see a 'role based' administration model in which the defined NEEDS (as compared to the whacked out wants of most technical people) are developed in conjunction with the Technical people doing the work and the Technical staff in one's Information Security dept. These roles would align with what technical staff do. I only NEED one or two Domain Admins. On the other hand, I need a bunch of people that can manage, add, modify users, groups and computers, but they still have to earn the privilege. Same goes with GPO, etc, etc, etc. Just because you can spell GPO doesn't mean I trust you to work on them. And, I am also a strong believer that if you can review event logs to determine health of machines from your desktop, then why do you RDP to servers? I'm also not going to give you the right to shut down systems just because you think you're making MY life easier. Wake me up... If it needs to be shut down, I'll do it. I also am a strong believer in change control and following procedure. But, if you've done none of the above - then why bother with Change Control or procedures? Both assume that there is a sequence of control built into your systems - which if you're not doing the above - isn't the case. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 3:47 AM To: [email protected] Subject: RE: [ActiveDir] Domain Admins Group Membership Now that we're beyond the technical specs... does anyone else cringe at the idea of granting domain admin privileges to satisfy local administrative rights privileges to machines? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:31 PM To: [email protected] Subject: Re: [ActiveDir] Domain Admins Group Membership Juan, You won't be able to add users from another domain to the Domain Admins group. The Domain Admins group is a global group, and rules for Globals Groups are that they can contain users from the domain in which the global group was created. By that rule, only users of Domain A may be members of the Domain Admins group of Domain A. However, IIRC, the Administrators group is a special group or a Domain Local group, and will allow the add of users from Domain B. Rick > > From: "Ibarra, Juan" <[EMAIL PROTECTED]> > Date: 2005/06/27 Mon AM 11:24:58 EDT > To: <[email protected]> > Subject: [ActiveDir] Domain Admins Group Membership > > Hi, > > > > I need to add certain users from domain B, Win 2000 Domain, to the > Domain Admins group of Domain A, Windows 2003 Domain. There is a two > way trust between the two domains; however, I don't seem to find the way > to do this. I am able to add users to shares but not the group. > > > How could I accomplish this? > > > > Thanks, > > Juan > > > > > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
