|
A service running on ServerA as localsystem or
networkservice will touch remote machines including ServerB with the security
context of DOMAIN\ServerA, not networkservice.
A service running on ServerA in localservice should touch
remote machines as anonymous.
At no point will configuring permission on ServerB to
networkservice give any rights to ServerA, only processes running on the local
machine (ServerB)) as networkservice.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Thursday, July 06, 2006 12:40 PM To: [email protected] Subject: RE: [ActiveDir] OT: Computer Account in Local Administrators Group I see...
If the service runs as LocalSystem, then it
already has the highest privilege possible on that system. In this case, the
vendor (or the vendor's support rep) may be asking for this simply for the
"interact" portion of your statement. Without knowing what the app does, it's
hard to tell. But, I'd ask the vendor's rep specifically what level of access is
needed to perform whatever the app is supposed to perform on the "other
machine".
Because, you see, if the app runs in the
context of LocalSystem on ServerA and needs to do something on ServerB, the
Network Service credentials will be used. If whatever is running on ServerB
allows "Network Service" account to do the job, then there is no additional
config or privilege to add on ServerA. Ask the vendor if "Network Service" has
the ability to successfully "interact" with the other machine in question, or if
the access can be configured to accommodate the "Network Service"
account.
Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] Sent: Thu 7/6/2006 8:08 AM To: [email protected] Subject: [ActiveDir] OT: Computer Account in Local Administrators Group I’m definitely not
wanting to do this – but a vendor was saying to do it to allow one of their
services to run as Local System and be able to interact with another
machine. I am very skeptical,
and not allowing it. Thanks, James Fr More directly - WHY
are you looking to do this? What problem are you trying to
solve?
Fr Ultimately, anyone with physical access to the remote PC will have Adminrights over the PC in which you add the account to the admins group for. Directly, anyone who can run anything as localsystem or networkservice willhave those rights.--O'Reilly Active Directory Third Edition -http://www.joeware.net/win/ad3e.htm -----Original Message-----Fr[mailto:[EMAIL PROTECTED] On Behalf Of[EMAIL PROTECTED]Sent: Wednesday, July 05, 2006 12:05 PMTo: Subject: [ActiveDir] OT: CWhat is the net effect of placing a remote c(\\dThanks,JamesList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspxList info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx |
- RE: [ActiveDir] OT: Compute... joe
- RE: [ActiveDir] OT: Co... Deji Akomolafe
- RE: [ActiveDir] OT... joe
- RE: [ActiveDir... Gil Kirkpatrick
- RE: [Activ... joe
- Re: [ActiveDir] OT: Co... Steven Comeau
- Re: [ActiveDir] OT: Co... Steven Comeau
- Re: [ActiveDir] OT... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: [ActiveDir] OT: Co... Steven Comeau
- Re: [ActiveDir] OT: Co... Steven Comeau
