|
Done that Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of joe Yeah, like rename Domain Admins to "Unimportant People"
and create a new group called Domain Admins and put the CIO in it. There is no
excuse for a CIO to be in Domain Admins unless the company is under 5
people. The only people who should be in domain admins are the people you
expect to fix everything when the world hits the floor. If someone isn't in
that category, they don't get rights to modify everything because it just puts
them in a position to cause work for someone else. I would tell that to the CIO of any company. If the CIO wants, he
can hold the envelope that has the password for the builtin Admin account, that
password should be like 250 characters so he/she isn't interested in actually
trying to use it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E] Only Sith deal in absolutes… :P When you have a CIO that likes to be in the Domain Admins group,
you sometimes have to pick your battles. Todd From: joe
[mailto:[EMAIL PROTECTED] There is no debate on admins having multiple creds, one for admin
work and one for normal work. Just do it. :) To put it nicely, if a company doesn't do this, they are just being
silly[1]. I am trying to figure out if there is ever a valid reason I think
that an admin should have a single ID in a company. I can't come up with one. joe [1] Instead of silly think of mean words used to describe really
silly people. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E] One more thing to add to this from my experience. I think we had situations arise where someone was trying to pragmatically
modify or read attributes on accounts in the protected groups and was not able
to due to their membership within a protected group. This of course
started the hot debate on admins having multiple credentials, one for
administrative duties, the other for collaborative and identity purposes. Todd From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] I have a 2-part discussion of this behavior starting here: http://www.akomolafe.com/JustSaying/tabid/193/EntryID/19/Default.aspx It's a bit headache-inducing, but at least you will get the benefit
of knowing that it is "by design" HTH
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J B We
have some users that have mobile devices that connect to Exchange.
The 3rd party application uses a dedicated account to send mail from
the devices. This account needs to have "Send As..."
permissions on each of the user accounts' security settings. We have set
it in all users (about two dozen) but one user in particular has a
problem. We set the permission and give it "Send As..." rights
(just like all the others - no different), but usually within an hour, the
newly added permission is gone - not just the "Send As" setting, but
the whole account name is gone from this user's security settings as if we
never added it in the first place. We have five DC's and I have tried
adding it from each DC with the same results. I am baffled by this.
Does anyone have any suggestions? |
- RE: [ActiveDir] AD Security permission co... Brian Desmond
- Re: [ActiveDir] AD Security permissi... Al Lilianstrom
- RE: [ActiveDir] AD Security permissi... Deji Akomolafe
- RE: [ActiveDir] AD Security permissi... Myrick, Todd \(NIH/CC/DCRI\) [E]
- RE: [ActiveDir] AD Security perm... Deji Akomolafe
