It's worse that Power User on a regular machine, because the amount of work
necessary to "elevate" rights is very trivial in the Local to Domain Admin
scenario.

-ASB: http://XeeSM.com/AndrewBaker


On Sun, Mar 7, 2010 at 9:53 AM, Kurt Buff <[email protected]> wrote:

> So, it's essentially the same as a power user on a regular machine -
> they only reason they're not an administrator is because they don't
> want to be, or haven't done the research.
>
> Kurt
>
> On Sun, Mar 7, 2010 at 00:56, Ken Schaefer <[email protected]> wrote:
> > An account that is in the BUILTIN\Administrators group on a DC has full
> control over that DC, including the ability to run things as LocalSystem.
> LSASS (which hosts the AD runs as LocalSystem) - so, effectively you have
> control over that process. I'm sure you can know figure out a number of
> ways, of varying amounts of effort, to have an account in the Administrators
> group alter or update the directory so that they are now also in the Domain
> Admins group (or any other group for that matter)
> >
> > Cheers
> > Ken
> >
> > -----Original Message-----
> > From: Kurt Buff [mailto:[email protected]]
> > Sent: Saturday, 6 March 2010 2:03 AM
> > To: NT System Admin Issues
> > Subject: Re: BuiltIn\Administrators group on a DC
> >
> > Actually, I'm not really satisfied, but it's not his job to tell me if I
> can find out on my own.
> >
> > The reason I want to know is that if I can't demonstrate it to a manager,
> preferably in a test environment, they will most likely make a stupid
> decision at some point. Kinda like what you're going through now.
> >
> > Kurt
> >
> > On Fri, Mar 5, 2010 at 09:41, David Lum <[email protected]> wrote:
> >> I'm actually fine with his answer (I'm sure you are too actually ). I
> don't want to know how to do this, but I am glad to know that it's a
> consideration.
> >>
> >> I found this on an Expert's Exchange post and like it a lot: "The
> difference between making a user a member of Administrators on a DC versus
> making them a Domain Admin is an implementation detail - for example, Domain
> Admins are members of the local Administrators group on each domain-joined
> workstation and member server, BUILTIN\Administrators are not, and
> BUILTIN\Administrators is a Domain Local group whereas Domain Admins is a
> global group.  So making a user a Domain Admin will automatically profer
> certain rights to domain-joined workstations and servers that
> BUILTIN\Administrators does not...but at the end of the day a member of
> BUILTIN\Administrators on a DC still has the effective rights of a Domain
> Admin, and so a determined user could figure out how to grant themselves
> whatever rights they don't have by default on workstations/member servers.
> >>
> >> From a security perspective, BUILTIN\Administrators membership should be
> treated as the security equivalent of Domain Admins, even though there are
> certain implementation details that may differ.”
> >>
> >> Ultimately, it *is* about what I expected to hear about that account.
> >>
> >> Dave
> >>
> >> -----Original Message-----
> >> From: Kurt Buff [mailto:[email protected]]
> >> Sent: Friday, March 05, 2010 9:21 AM
> >> To: NT System Admin Issues
> >> Subject: Re: BuiltIn\Administrators group on a DC
> >>
> >> Spoilsport!
> >>
> >> Heh.
> >>
> >> On Fri, Mar 5, 2010 at 08:41, Michael B. Smith <[email protected]>
> wrote:
> >>> Builtin\administrators require one step – which I’m not going to
> >>> document here – to make themselves a domain admin.
> >>>
> >>>
> >>>
> >>> Regards,
> >>>
> >>>
> >>>
> >>> Michael B. Smith
> >>>
> >>> Consultant and Exchange MVP
> >>>
> >>> http://TheEssentialExchange.com
> >>>
> >>>
> >>>
> >>> From: David Lum [mailto:[email protected]]
> >>> Sent: Friday, March 05, 2010 11:39 AM
> >>> To: NT System Admin Issues
> >>> Subject: BuiltIn\Administrators group on a DC
> >>>
> >>>
> >>>
> >>> Is it true that just because a normal domain account is a member of
> >>> this group on a DC that they do *not* have the same permissions as a
> >>> domain admin?
> >>>
> >>>
> >>>
> >>> I want to know of this statement is correct:
> >>>
> >>> ----------------------------------------------------
> >>>
> >>> “If this service account could log on to the DC locally or via RDP
> >>> (it can’t due to a GPO we have for service accounts) then it could
> >>> (in theory) access the ADUC console but even then it cannot do
> >>> anything because since it’s not a member of Domain Admins or any group
> allowed delegation.
> >>>
> >>>
> >>>
> >>> Example, adding a user account, the ADUC console tests
> >>> <domain>\<service
> >>> account> against the “allowed to create user account in the domain”
> >>> account> ACL, and
> >>> BuiltIn\Administrators isn’t on that list.
> >>>
> >>> ----------------------------------------------------
> >>>
> >>>
> >>>
> >>> What we’re trying to do is allow a program that requires local admin
> >>> rights to install a program on a 2003 DC w/out making it a domain
> >>> admin, and my understanding is BuiltIn\Administrators can do this.
> >>>
> >>> David Lum // SYSTEMS ENGINEER
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to