Re: Creating/editing user accounts

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 11/08/01


Message-ID: <010b01c16891$2e0ee800$01000001@lauradominion.com>
From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "Derek T" <sigmafive@hotmail.com>, <focus-ms@lists.securityfocus.com>
Subject: Re: Creating/editing user accounts
Date: Thu, 8 Nov 2001 15:08:42 -0500

You can *very* easily delegate the ability to create and edit user accounts
without giving admin rights in AD. However, if I were you, my greater area
of concern would be that you're making AD publicly accessible. For this, you
should really consider using an entirely separate forest from your
production environment. If you need to synchronize information between the
two forests, this is also fairly easy to manage with ADSI or tools such as
MMS.

Regardless, you should not be giving administrative rights to accomplish
what you're asking about; it's neither necessary nor wise. Delegate creation
and modification of user objects in AD, use a separate forest, and don't
give admin rights. :-)

Laura A. Robinson
----- Original Message -----
From: "Derek T" <sigmafive@hotmail.com>
To: <focus-ms@lists.securityfocus.com>
Sent: Thursday, November 08, 2001 12:10 PM
Subject: Creating/editing user accounts

> A quick question about AD and web enabled services.
>
> The company I work for is trying to offer the ability to open and
manipulate
> accounts from the Web ( kind of like Yahoo or Hotmail). The problem lies
in
> the choice to use AD on the segmented network. With AD the only ID with
the
> rights to create and edit user accounts are sys-admins, something that you
> can not allow anonymous web browsers to assume. Also this will be a branch
> off the main corporate network, ( in it's own DMZ) to allow customer
service
> reps to access and work with the same data from the main tree. Any ideas
on
> how can this be accomplished and kept secure, or is it a pipe dream?
>
> Also in the event that a process is given the Sys-admin rights instead of
a
> user, what potential security implications does this pose? It seems as if
> almost every discussion of a new vulnerability starts with " You see,
there
> was this process running with administrator rights...." =)
>
>
> Thanks for the insights
>
> D True
>
>
> "If debugging is the process of removing software bugs, then programming
> must be the process of putting them in."- L. Owando
>
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>



Relevant Pages

  • RE: Missing Group
    ... which creates user accounts and assigns rights ... this issue will not fail your SBS upgrade or migration. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: delegating control over ou
    ... > i would like to give my partner only these rights ... > disable/unable user accounts ... > of course it gives the opportunity to reset passwords ... This is provided in the delegation wizard. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Give more rights to a user
    ... whim, boomcreat...@xxxxxxxxx pounded out on the keyboard: ... He has not enough rights. ... Add the user/domain on the workstation in User Accounts, ...
    (microsoft.public.windowsxp.general)
  • Re: Enable / Disable users permission
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... Rightclick the OU where the user accounts are located that you like ...
    (microsoft.public.windows.server.security)
  • Re: Changed admin name - how about the corresponding folder in Documents and settings
    ... a user accounts dialog box try changing user name from there. ... Reset the ... gpedit change before u do this. ... with admin rights (becoz i can't delete this new admin rights account ...
    (microsoft.public.windowsxp.customize)