That looks a good read, Bob, thanks for posting that On 28 February 2012 18:12, Free, Bob <[email protected]> wrote:
> If you want to look at really tightening things up search out the articles > Laura Robinson has written about running with 0 domain admins. She is an > extremely bright lady and I've long admired her work from a distance. There > are also some videos available online of her work on TechNet since she went > to work for the borg :-) > > While eliminating DAs might not be possible in your environment, her ideas > definitely get you thinking about least privilege. I have talked to people > who got AD audits from her team and evidently it is quite the experience. > > Start here- > > > http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-and-windows-part-1-understanding-privileged-groups-in-ad.aspx > > > -----Original Message----- > From: David Lum [mailto:[email protected]] > Sent: Monday, February 27, 2012 6:39 AM > To: NT System Admin Issues > Subject: RE: Log on to DC directly > > Personally I do - I let Win7 UAC prompt me for elevation. We're working on > domain redesign and I personally rarely ever log into DC's so I wanted to > throw interactive login's to DC's into our redesign mix as we will be > increasing restrictions around DA access. > > Dave > > -----Original Message----- > From: Michael B. Smith [mailto:[email protected]] > Sent: Friday, February 24, 2012 12:57 PM > To: NT System Admin Issues > Subject: RE: Log on to DC directly > > Why don't you use a custom consolidated console? > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Friday, February 24, 2012 2:56 PM > To: NT System Admin Issues > Subject: Re: Log on to DC directly > > On Fri, Feb 24, 2012 at 11:19, David Lum <[email protected]> wrote: > > Barring being an SBS domain, is there really any reason someone needs > > to log in to a DC directly unless installing an app? > > > > David Lum > > Systems Engineer // NWEATM > > Office 503.548.5229 // Cell (voice/text) 503.267.9764 > > Some network diagnostics will only work from there, for sure (ping, etc.). > > But for daily operations, not so much. > > Below is a set of command lines that I use from an elevated prompt to > start the RSAT and other tools on my Win7 workstation. I log in as a > standard user, open cmd.exe as administrator, then copy/paste these into > the command prompt, each of which uses my Domain Admin account to do what I > need to do. > > The nice thing is that opening these apps in this fashion doesn't put a > profile for my DA account on the local machine, and we all know that you > shouldn't log into a workstation with your DA account. > > I keep a notepad with the commands open at all times. > > Kurt > > > > runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe > C:\windows\system32\dsa.msc" > runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe > C:\windows\system32\dssite.msc" > runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe > C:\windows\system32\domain.msc" > runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe > C:\windows\system32\gpmc.msc" > runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe > C:\windows\system32\dhcpmgmt.msc" > runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe > C:\windows\system32\dnsmgmt.msc /s" > runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe > C:\windows\system32\eventvwr.msc /s runas /netonly / > user:[email protected] "C:\windows\system32\mmc.exe \"C:\Program > Files\Update Services\administrationsnapin\wsus.msc"\" > runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe > C:\windows\system32\tsadmin.msc" > runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe > C:\windows\system32\compmgmt.msc" > runas /netonly /user:[email protected] "C:\windows\system32\cmd.exe" > runas /netonly > /user:[email protected]"C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe" > runas /netonly /user:[email protected]"C:\windows\system32\explorer.exe" > runas /netonly /user:[email protected] "C:\windows\system32\msra.exe > /offerra" > runas /netonly > /user:[email protected]"C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe" > runas /netonly > /user:[email protected]"C:\windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" > runas /netonly /user:[email protected] "C:\utils\procexp.exe" > runas /netonly /user:[email protected] "C:\Program Files > (x86)\Sunbelt Software\Enterprise\EnterpriseConsole.exe" > runas /netonly /user:[email protected] "C:\Program Files > (x86)\Microsoft\Exchange Server\V14\ExPDA\ExPDA.exe" > runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe > C:\windows\system32\adsiedit.msc" > runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe > C:\windows\system32\pkiview.msc" > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ****** IMPORTANT INFORMATION/DISCLAIMER ***** This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress...... * * The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. * * In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets** ** At Home yesterday. * * We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! * * The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. * ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
