Service accounts. Especially ones with domain-level scope. Resetting the passwords for all known service accounts (including the administrators' account) should be your first course of action - just slightly ahead of the actual group purge. Scripts. Examine all scripts in use, especially login scripts or scripts attached to GPOs. Look for embedded plain-text passwords. Look at the codes themselves and understand what they do. Rogue services/processes - especially on DCs. AT jobs - especially on DCs that's all for now Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Noah Eiger Sent: Fri 2/10/2006 8:53 AM To: [email protected] Subject: [ActiveDir] Hiding in the Directory I have been asked by a company to help them tighten what is currently a very loose security model. Now, several non-IT-but-computer-adept employees have accounts with full Domain Admin privileges. Many of these folks are programmer types and pretty savvy (which leads them to think they know what they are doing - that's another story). They are also aware that we are going to tighten things down. For political reasons, we could not just yank their admin access. So the question is: if you were one of these folks and were inclined to mischief (or simply ensuring your continued access), how might you hide yourself in the Directory? More to the point: where should I look beyond the obvious group memberships? Thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.5/256 - Release Date: 2/10/2006 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
