Thanks for this. I'm only a few paragraphs in, but this is great stuff. -----Original Message----- From: Free, Bob [mailto:[email protected]] Sent: Tuesday, February 28, 2012 12:13 PM To: NT System Admin Issues Subject: RE: Log on to DC directly
If you want to look at really tightening things up search out the articles Laura Robinson has written about running with 0 domain admins. She is an extremely bright lady and I've long admired her work from a distance. There are also some videos available online of her work on TechNet since she went to work for the borg :-) While eliminating DAs might not be possible in your environment, her ideas definitely get you thinking about least privilege. I have talked to people who got AD audits from her team and evidently it is quite the experience. Start here- http://blogs.technet.com/b/lrobins/archive/2011/06/23/quot-admin-free-quot-active-directory-and-windows-part-1-understanding-privileged-groups-in-ad.aspx -----Original Message----- From: David Lum [mailto:[email protected]] Sent: Monday, February 27, 2012 6:39 AM To: NT System Admin Issues Subject: RE: Log on to DC directly Personally I do - I let Win7 UAC prompt me for elevation. We're working on domain redesign and I personally rarely ever log into DC's so I wanted to throw interactive login's to DC's into our redesign mix as we will be increasing restrictions around DA access. Dave -----Original Message----- From: Michael B. Smith [mailto:[email protected]] Sent: Friday, February 24, 2012 12:57 PM To: NT System Admin Issues Subject: RE: Log on to DC directly Why don't you use a custom consolidated console? -----Original Message----- From: Kurt Buff [mailto:[email protected]] Sent: Friday, February 24, 2012 2:56 PM To: NT System Admin Issues Subject: Re: Log on to DC directly On Fri, Feb 24, 2012 at 11:19, David Lum <[email protected]> wrote: > Barring being an SBS domain, is there really any reason someone needs > to log in to a DC directly unless installing an app? > > David Lum > Systems Engineer // NWEATM > Office 503.548.5229 // Cell (voice/text) 503.267.9764 Some network diagnostics will only work from there, for sure (ping, etc.). But for daily operations, not so much. Below is a set of command lines that I use from an elevated prompt to start the RSAT and other tools on my Win7 workstation. I log in as a standard user, open cmd.exe as administrator, then copy/paste these into the command prompt, each of which uses my Domain Admin account to do what I need to do. The nice thing is that opening these apps in this fashion doesn't put a profile for my DA account on the local machine, and we all know that you shouldn't log into a workstation with your DA account. I keep a notepad with the commands open at all times. Kurt runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe C:\windows\system32\dsa.msc" runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe C:\windows\system32\dssite.msc" runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe C:\windows\system32\domain.msc" runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe C:\windows\system32\gpmc.msc" runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe C:\windows\system32\dhcpmgmt.msc" runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe C:\windows\system32\dnsmgmt.msc /s" runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe C:\windows\system32\eventvwr.msc /s runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe \"C:\Program Files\Update Services\administrationsnapin\wsus.msc"\" runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe C:\windows\system32\tsadmin.msc" runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe C:\windows\system32\compmgmt.msc" runas /netonly /user:[email protected] "C:\windows\system32\cmd.exe" runas /netonly /user:[email protected] "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe" runas /netonly /user:[email protected] "C:\windows\system32\explorer.exe" runas /netonly /user:[email protected] "C:\windows\system32\msra.exe /offerra" runas /netonly /user:[email protected] "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe" runas /netonly /user:[email protected] "C:\windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" runas /netonly /user:[email protected] "C:\utils\procexp.exe" runas /netonly /user:[email protected] "C:\Program Files (x86)\Sunbelt Software\Enterprise\EnterpriseConsole.exe" runas /netonly /user:[email protected] "C:\Program Files (x86)\Microsoft\Exchange Server\V14\ExPDA\ExPDA.exe" runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe C:\windows\system32\adsiedit.msc" runas /netonly /user:[email protected] "C:\windows\system32\mmc.exe C:\windows\system32\pkiview.msc" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
