|
Posted by Roger Abell [MVP] on September 11, 2007, 9:09 am
Please log in for more thread options > Let's assume that AD is tightened up a bit, I need to be able to see all
> administrator accounts, and all information around them?
>
> As far as the local accounts, our admins have added domain accounts to
> local
> groups, so I need to be able to read the same information locally?
>
Have you tried?
AD objects carry default grants to Authenticated Users such that
what you seems to be indicating as needed ("see all administrator
accounts" - what do you mean by that __exactly__ ?) can happen.
For machine local accounts, I feel I previously provided answer.
Roger
> "Roger Abell [MVP]" wrote:
>
>> >I need to know how, if possible, can you set up a user that can have
>> >read
>> > access to AD to be able to browse all Administrator level accounts, but
>> > not
>> > be able to modify AD in any fashion? The reason for this is to be able
>> > to
>> > have our security monitoring area be able to document and research any
>> > Administrator level accounts anywhere in our AD.
>> >
>>
>> If measures have not been taken to move your forest/domains away from
>> the as-installed settings, then any account in the forest can do that
>> (well,
>> I guess it depends on what "able to browse all Administrator level
>> accounts"
>> intends to mean. If it means list out accounts in the groups, then that
>> already
>> is possible from any standard account of the forest.)
>>
>> > I would also like to know if the same is possible for the local
>> > accounts
>> > for
>> > both 2000 and 2003 AD members and standalone servers?
>>
>> The account used would need to have Users group membership on the
>> machines. Also, login rights for the type of access to be used for the
>> examination, network access from the monitoring machine(s), etc..
>>
>> Roger
>>
>>
>>
| 
XML Sitemap