SBS sp1 last patch 'has' to be run on the 500 account, no ifs or buts on
that one.
We're still in investigation on the WSUS install... so far all WSUS
installs done under the 500 account work fine, those done under an
alternative account, the workstations are not checking in to the WSUS
server and so far the only thing he can think of that he's done
differently is the lack of the use of the 500 account while installing WSUS.
joe wrote:
Does it actually say it must be run from that account or is it a possible
lack of some sort of access that he isn't aware of?
I have seen apps that have locked into a specific profile which is also bad.
Whatever was used for the initial install had to be used for any updates
because critical info was stored in the profile of the ID that did the
install.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Saturday, January 28, 2006 3:20 PM
To: [email protected]
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question
about the use and risk of the "500" account.
:-)
Don't install the 5th part of the SBS sp1 service pack bundle then.....
'cause it kinda wants to be only run under that "500" account.
I've got a SBSer installing WSUS under an alternative Admin account and the
installs that he's done under the "500" account the computers check in just
fine...the ones under the alternative account are having issues. He's
applied the compression hotfix and done client side targeting and still no
go. He's redoing the group policy settings under the "500" account now.
Al Mulnick wrote:
I can honestly think of no plausible reason that any vendor I want to
do business with would require that I use that or any specific
account. There is never a time when that's acceptable. Wait. I want
to be clear about this. There is never a time when it is acceptable to
tell me that I MUST install and run under a specific named account.
Any time I've been faced with that concept, I and my colleagues have
always pushed back on the vendor to specify exactly what rights and
any other pertinent details were needed. If they couldn't or
otherwise wouldn't provide the details, then we emphatically recommend
no sale. If that doesn't prevent the sale, we loop in the security
folks to accept responsibility for the compliance and other security
issues that this may introduce. If they were fine with it, then I no
longer have a stake in the game for that. Instead, I no have a scape
goat for anything to goes wrong ;)
There is never a time when it is acceptable to tell me that I MUST
install and run under a specific named account. Never.
On 1/28/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]*
<[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote:
There have been times in recent past that certain installs or
applications only work under the "500" account aka the real admin
account down here in SBSland.
In Big server land... do you also find this to be true with apps that
need to be installed on the server?
For many of you you are obviously remote admin'ing.
Do you ..when using that 500 account... accept the risk of that Admin
account/password over TS/3389?
Only over VPN? Only use that 500 account in certain
vlans/subnets/whatevers that obviously we in SBSland never carve
up our
domain structures in?
For SOX purposes only have a documented use of that 500 account?
For all other times do you use admin equivalent?
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
