Think about nested groups and primary group membership. Some of joe's discussions of primary group membership are in the archives and should lead you where you want to go.
...one of Diane's 'cohorts' :-) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Thursday, October 06, 2005 10:11 PM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Hi joe...I've seen you make this reference in the past and can't remember if you've elaborated on it as well (sorry for not searching - feel free to refer me...getting late here). Since we use the same idea mentioned by Diane below, but *do* use LDAP as the method... ...should we be using "net user" [or some distant cousin of it] additionally to catch memberships not returned by LDAP? Was that it? Thanks! -DaveC -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, October 06, 2005 8:24 PM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group How does it work? Do you use LDAP to look at the membership? If so, you probably have a whole in the implementation. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Thursday, October 06, 2005 2:20 PM To: [email protected] Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group We run a simple process that monitors the members of elevated privilege groups. Any changes trigger a notification. Doesn't address the prevention but will allow you to capture the occurrence and deal with it appropriately. Diane -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Thursday, October 06, 2005 10:00 AM To: [email protected] Subject: [ActiveDir] Modifying Domain Admins & Administrators Group Hi, We have about 7 domain administrators in a particular child domain. I just found out someone added the DBA Group to part of the Administrators group in this domain. Not necessary, not required nor is it a policy. Event logs have obviously been overwritten therefore I would like to know the simplest method to avoid this scenario from ever happening again. What are my options? Thank you so much. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ----------------------------------------------------------------- Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
