|
Posted by Roger Abell on July 1, 2005, 5:31 am
Please log in for more thread options But that was just my point Matt.
If you are an Administrators memeber on the DCs you only have
admin powers on the DCs. You do not have power on member
servers or client machines. That is how Domain Admins group
is set up in the default group nesting into members' Administrators.
So, making the account a member of Adminsitrators does limit it
down quite a bit.
My reference that the account "could" be used to obtain DA (or
EA for that matter) was not meaning to say it was simple to do so.
When I said that is a staffing issue was because the person would
have to do some hacking and use other than standard tools and
management interfaces to effect the privilege elevation, but when
determined they could (and they would know that they are doing
a no no - no way it would be simple or by mistake).
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
> Roger,
>
> Thanks for clarifying what I was getting at. Your last point is what I
was
> trying to say.
>
> If you're an Administrator on a domain controller, there really isn't
> anything you can't do to the domain.
>
> Matt Gibson - GSEC
>
> > Matt,
> >
> > Even on a DC a "full admin" as in member of Administrators is only
> > pretty much an admin of all DCs, but not of the network in the way
> > that Domain Admins members are in the default members of each
> > machine local Administrators group on the members of the domain.
> >
> > Now, an Administrators member on a DC would have little problem
> > in making themselves a Domain Admins member but that is a different,
> > personnel issue.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> >> Depends if these machines are domain controllers or not.
> >>
> >> If they're domain controllers, then you're pretty much out of luck. A
> > full
> >> admin on a DC is basically an admin of the network.
> >>
> >> If they're not DCs, then you can just give his user (in AD) only logon
> >> rights to those two servers.
> >>
> >> Matt Gibson - GSEC
> >>
> >> > Hello All
> >> >
> >> > I am looking for a little assistance...
> >> >
> >> > Within our company we have two servers that have a different
> >> > administrator to the rest of the network.
> >> >
> >> > Currently the administrator of these servers uses the domain
> >> > administrator username/password to perform his admin tasks on the
> >> > server, but has also been know to use this account for other
purposes.
> >> >
> >> > So what I would like to do, is provide him with an account that ONLY
> >> > has administrator rights on this two machines that he requires
> >> > administrator access too.
> >> >
> >> > Something like user account within Windows XP on the domain server
> >> > would do the trick... but no!
> >> >
> >> > Does anyone have any ideas/advise for this?
> >> >
> >> > Thanks in advance
> >> >
> >> > David
> >> >
> >>
> >>
> >
> >
>
>
| 
XML Sitemap