I haven't seen this in practice
> But if you limit the other
admins to only change their own scripts,
> then even if they screw up,
it's up to them to fix it
When a
logon script fails badly the workstations tend to lock up pretty hard and all
the users know is that the typed in their password and bam, it stopped working
so this is obviously a logon issue. In the environments I have seen this in, the
escalations immediately go to the DAs and they have to try and figure out what
happened.
If the
desire is to let some sub admins do these mods, I really prefer the shifting the
secondary logon scripts to other locations versus letting non-DAs write to
the file system of domain controllers.
I
agree that admin IDs shouldn't have logon scripts or a bogus logon script like
bob.txt. I also do not put them in OUs that have GPOs applied to them other than
the domain GPO.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Thursday, June 30, 2005 5:51 PM
To: [email protected]
Subject: RE: [ActiveDir] Allow non domain-admin to modify login scripts
I tend to not agree fully with the elevation of priv
thoughts mentioned in this
thread.
It really depens on you delegation model and doing it right
in the first place => ofcourse you don't grant all you "OU-Level"-Admins the
rights to change all scripts in NetLogon - instead you'd create a sub-structure
similar to that of your OUs which you've delegated out for them to handle their
users (if this is what you're doing). You'll then only grant them
permissions to edit stuff in their sub-folder underneath NetLogon (not on the
share-level) - and clearly it's only the DAs that handle this stucture and who'd
handle any "main" script if you wanted to run a central logon-script for
everybody. And no admin with high privs would be configured to run a
logon-script that's located in a folder editable by other folks - I actually
never configure any highly priviledged account to use any logon
scripts.
There is no need to change permissions on the
NetLogon-Share at all - you can tell your admins to connect via SYSVOL on the
respective DC.
Ofcourse the approach is not without risk either =>
you're granting people rights to change stuff in SysVol (even if they only have
write-permissions on a specific subfolder). You should think about using
quotas on the volume that hosts SysVol to prevent a DOS attack by filling up the
SysVol folder.... However, they can
still potentially harm SYSVOL FRS replication if they do a lot of awkward
changes in their folder - this risk remains.
I'm not against using
other solutions such as those pointed out by joe. But if you limit the other
admins to only change their own scripts, then even if they screw up, it's up to
them to fix it (not talking about overloading the DC - this should be prevented
via other means, e.g. quotas). And if you get your delegation right
I certainly don't see an issue with
elevation of privs.
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Donnerstag, 30. Juni 2005 01:20
To: [email protected]
Subject: RE: [ActiveDir] Allow non domain-admin to modify login scripts
I would be extremely picky about letting people update
logon scripts. In fact, I previously was when I did ops, it was the DAs and only
the DAs. Even doing that and taking "certified" good scripts from other folks
and placing them into the proper locations I have experienced some extremely
nasty logon issues that weren't really logon issues. The issues were dorked up
logon scripts though they presented as logon issues (I typed in my userid and
password and it just sits here!!!) and it took me trying
to figure out what was broken to realize it was a logon script and those are
hours I can never get back into my life for myself, lost forever due to someone
else's poor scripting skills..
Basically, allowing someone to write to the share that
every single interactive authentication touches is not the best way to
secure an environment in my opinion. Think how much fun you can have if the
person does an update, no one knows it, no one can logon, you think the DCs are
hosed, a couple of days later, you realize no one could log on for a couple of
days because of a change to the logon script. You go to the person, his response
is, nah, it couldn't be.
Quite honestly I would ask, why is the perception that the
logon script has to change so much?
My advice, just say no. Tell them you will copy the new
"certified" scripts into place every X days where you pick X as a
sufficiently painful period that they realize whatever it is they are doing
probably shouldn't be done in logon scripts anyway. Let the user finish logging
on, then screw them up, that way it doesn't come back to the overworked
DAs.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, June 29, 2005 5:49 PM
To: [email protected]
Subject: [ActiveDir] Allow non domain-admin to modify login scripts
We assign our login
scripts to each individual user account (not via GPOs)
We have a user who
needs to modify login scripts, but since he's not a domain admin can't login to
our domain controller (which is good). How can we let him modify login
scripts by mapping to the DC instead of logging onto it?
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
