On Mon, Jun 22, 2009 at 3:50 PM, David Lum <[email protected]> wrote:
> If I add a machine to a group (say, my SMS server as a local admin to my
> desktop),
> what am I exactly enabling?
It means the NT machine account is now a member of that group.
Nothing more, nothing less.
Machine accounts are just user accounts, as far as the NT security
model is concerned. If the machine is "FOO" and your domain is
"NWEA", then the NT machine account is "NEWA\FOO$". The dollar sign
means it is hidden.
Computer startup and shutdown scripts run in the context of the
machine account when it comes to accessing network resources. That's
the major practical application that I'm aware of.
> Accounts logged in as “Local Service” to interact with my machine?
Nope, that would be "FOO\LocalService", a different account and a
different security authority. LocalService isn't supposed to have
access to any network resources.
Now, theoretically, it may be that LocalService has sufficient
privileges to hijack the machine account and impersonate it.
Anything's possible with root access.
> Does it mean anyone logged onto that machine would have
> local admin rights to my PC?
Definitely not! The NT machine account has nothing to do with the
logged on user.
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
