Not really, true "GOD" would be schema admin, and enterprise admin.
But it would be a definate dont do to have an account with that much
power in use.
I have Schema admin on one account that is disabled, Schema admin is
hardly ever used, how often would you want to irreversably modify the
schema ? When you install E2k, then disable it again.
Enterprise admin should be used with great care, how often do you need
to use an account that can manage every domain at once?
I would just give yourself domain admin rights and be happy with that,
you can do anything you will need to do in a day to day management. I
would suggest having a normal account that you use to login and take
advantage of the "runas" command in 2000. This will make sure you never
regret forgetting to log out or lock your pc when you go to get a drink.
Try and limit the number of domain admins you have, rename and disable
the default administrator account, create a dummy administrator account
with auditing on it.
As for the Event viewer problem, if you are a domain admin, which will
make you a "local admin" of every machine you are logged in on and it
still does not work, then there has been a permissions change on the
event log. Or someone has removed the rights of people to manage or view
the event log.
Are you the only administrator/domain admin, if not make sure there is a
change management register that is compatible with ITIL processes.
Cheers
Damian
-----Original Message-----
From: Better Net Office [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 11 September 2001 10:46 AM
To: NT System Admin Issues
Subject: Re: God rights for account administrator was "Event log full
but access denied error?"
OK Thx Damian...........so i just put say user fred as a member of
schema
admin and I'm god?? right??
Tony
Quite power hungry! ;-)
God in 2k is different, depending on what you define as God.
There is a Schema admin, which holds rights to modify Schema, personally
I find this one the most frightening.
There is also Enterprise Admin, which you should think of as a Domain
Admin of "all domains", root and child.
Then there is Domain admin for the current domain you are connected to.
Hope that helps, just be security concious.
Cheers
Damian
-----Original Message-----
From: Better Net Office [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, 11 September 2001 10:22 AM
To: NT System Admin Issues
Subject: God rights for account administrator was "Event log full but
access denied error?"
Ok I'll change the topic, I'd like to know exactly where I give myself
"GOD" rights. In otherwords, if i make an account called fred (me
actually) or administrator (me too) I want that account to have 100%
ability to do anything..................how? I haven't got time to muck
around with individual rights...........just want me....to be god.
Rgds
Tony Wilson
Better Net
ph02-66727565
_ _ ____ ____
| | (_) ___| | _ \
| |___ | \___ \ | __ /
|_____|_|____/ |_|
Your "LOCAL" ISP since 1997
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
**********************************************************************
This e-mail and its contents is confidential to Gold Coast City Council
and un-authorised use is strictly prohibited.
**********************************************************************
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
**********************************************************************
This e-mail and its contents is confidential to Gold Coast City Council
and un-authorised use is strictly prohibited.
**********************************************************************
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
