RE: [ActiveDir] OT: Computer Account in Local Administrators Group

[Deji Akomolafe]

I see...   If the service runs as LocalSystem, then it already has the highest privilege possible on that system. In this case, the vendor (or the vendor's support rep) may be asking for this simply for the "interact" portion of your statement. Without knowing what the app does, it's hard to tell. But, I'd ask the vendor's rep specifically what level of access is needed to perform whatever the app is supposed to perform on the "other machine".   Because, you see, if the app runs in the context of LocalSystem on ServerA and needs to do something on ServerB, the Network Service credentials will be used. If whatever is running on ServerB allows "Network Service" account to do the job, then there is no additional config or privilege to add on ServerA. Ask the vendor if "Network Service" has the ability to successfully "interact" with the other machine in question, or if the access can be configured to accommodate the "Network Service" account.   Sincerely,    _____                                  (, /  |  /)               /)     /)       /---| (/_  ______   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/                             /)                                     (/       Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com  -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Thu 7/6/2006 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Computer Account in Local Administrators Group I’m definitely not wanting to do this – but a vendor was saying to do it to allow one of their services to run as Local System and be able to interact with another machine.   I am very skeptical, and not allowing it.   Thanks, James   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]om Sent: Wednesday, July 05, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group   More directly - WHY are you looking to do this? What problem are you trying to solve?   Sincerely,    _____                                  (, /  |  /)               /)     /)       /---| (/_  ______   ___// _   //  _  ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/                             /)                                     (/       Microsoft MVP - Directory Services http://www.readymaids.com/ - we know IT http://www.akomolafe.com/  -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon   From: joe Sent: Wed 7/5/2006 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group Ultimately, anyone with physical access to the remote PC will have Admin rights over the PC in which you add the account to the admins group for.   Directly, anyone who can run anything as localsystem or networkservice will have those rights.     -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]om Sent: Wednesday, July 05, 2006 12:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Computer Account in Local Administrators Group   What is the net effect of placing a remote computer account (\\domain\computer_name) in the Local Administrators group?   Thanks,   James   List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx   List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx