LOL. I am with you with the view access, whenever I walk into a location I ask for normal user and exchange view to start and if they have actually locked down pre-w2k access (rare in my experience) then I ask for whatever group allows me to view the attributes that are now no longer available to normal users to see. If they say that is the admin groups then I start talking about the idea of not using Domain Admin rights to try and troubleshoot, only to actually change things. Especially for AD troubleshooting, much if not most of the info you would likely need is available through normal user rights and I try very hard to do everything in terms of looking at info as a normal user or a normal user with additional read access granted and if I can't do it as a normal user with that access I try to understand why not so I can later. The admin accounts in general scare me because people make mistakes too easily (including me) which is why I don't want anything to do with admin rights when I walk into a place to help them. You can't blame me for breaking your stuff if you didn't give me rights to break it. I don't feel I am special enough to have DA rights when I walk into someone else's environment. Anymore, now that I do more consulting than real work, I don't have DA rights anywhere but at home and even there I am not sure I should have them. ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 11, 2007 10:07 PM To: [email protected] Subject: Re: [ActiveDir] Domain Admin I've seen consultants ask for that level of access before to gain access to the local machine. They reason that because the domain admins are added to the local administrators group that they'll have full access to the machine. They also are not aware of the rights needed to view or otherwise administer AD. Just not familiar with rights at all for that matter. GPO's....hmmmm....Good point. But if it were me, I wouldn't want to have change access to anything in production at all. I would much prefer to have the local admins step and fetch and do my bidding. I guess that's my power trip, though it has the nice added benefit of not letting me, the consultant, get blamed for any issues or data theft or damage that may occur before, during, or after my engagement. It's way too easy to ask for the details in a particular format vs. collecting it with DA rights. DA is just way too much IMHO. It's lazy to ask for the keys to the kingdom to gain access to the kitchen. But I'm with you joe, I hope it's a translation thing. I shudder to think that somebody may have been given the DA rights to look at a local server or two. Oh, and if you take away any more fun I'll have to stop reading some of those posts. I mean c'mon, not changing and reconfiguring a server at logon? How can you possibly expect me to get my email if I can't use Outlook on my servers? Sheesh... (o; On 1/11/07, joe <[EMAIL PROTECTED]> wrote: Hopefully the guy means the person needs administrator rights over the two servers. Not sure how you would give domain admin rights over two servers and even what that would buy you. At the member level a domain admin isn't any more powerful than a local admin. The domain powers come in with the GPOs and computer account in AD which likely this bonehe... err consultant needs. :) Unless the admin tools are tied to some GPO software installation (something I never liked though I thought, that is kind of cool when I initially saw it) that is tied to DAs then what ID is used to log into the server shouldn't come into play. If it is tied to a policy, scrub the policy and just install the tools on the servers in your base install process. Servers, IMO, are not devices that should be getting reconfigured everytime someone different logs on or logs off. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _____ From: [EMAIL PROTECTED] [mailto: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 11, 2007 7:56 PM To: [email protected] Subject: Re: [ActiveDir] Domain Admin Am I the only one that would suggest escorting the consultant out the door? Asking for domain admin level privs to access two servers is WAY over the top IMHO. Heck, just to read and report and make suggestions (consultants tend to do that from what I recall) the consultant doesn't need anywhere near that level of privs. Just for asking is grounds for dismissal based on the information presented anyway. Having been a consultant, I feel qualified to make such statements in case you wondered where I am coming from :) Perhaps the original postee can add some information about what the "consultant" needs to be able to do and why domain admin privs would be needed? On 1/10/07, Lee, Wook <[EMAIL PROTECTED]> wrote: Assuming the servers are at least Windows 2000 or newer, the administrative tools can be installed using adminpak.msi which is found in %systemroot%\system32 which is usually c:\winnt\system32 or c:\windows\system32. It is also possible to delegate control in the AD over a couple of servers either individually or by OU, but the best practice would be to use a separate account for the admin tasks as Daniel describes and use a group to delegate control in the AD if that's really necessary. You want to be careful not to delegate too much control. Full control over the OU gives the delegated administrators too much since they would be able to create additional OUs and any kind of objects that they would want. Very bad in most enterprises. Only delegate control in AD if you absolutely have too and then audit those activities closely to avoid disasters of forest-wide proportions. Wook -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Wednesday, January 10, 2007 6:12 AM To: [email protected] Subject: RE: [ActiveDir] Domain Admin I might go so far as to create a new account for the consultant. Inform the consultant to only use the new account when they need to perform the work on the two servers. A new account will allow you to audit their work and also watch for "creep". Also, do not give the elevated account e-mail or anything like so that there is no way those servers can pick up anything like a virus or spyware. Dan > -------- Original Message -------- > Subject: [ActiveDir] Domain Admin > From: "Patrick" < <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]> > Date: Tue, January 09, 2007 10:19 pm > To: <[email protected]> > > I have a consultant that is asking for domain admin rights on 2 member servers. I have google it but nothing seems to work out right. The servers are on the domain but the consultant just has a domain user account. He can logon on to the servers while they are on the domain but the administrative tools is not there (as it should). I want to creat an OU and put the two machines in that ou and delegate control to the consultants domain user account. Any other way to do this without registry hacks or scripts? All assistance welcomed List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx <http://www.activedir.org/ma/default.aspx> List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx <http://www.activedir.org/ma/default.aspx>
