Re: Creating/editing user accounts

From: Laura A. Robinson (
Date: 11/08/01

Message-ID: <010b01c16891$2e0ee800$>
From: "Laura A. Robinson" <>
To: "Derek T" <>, <>
Subject: Re: Creating/editing user accounts
Date: Thu, 8 Nov 2001 15:08:42 -0500

You can *very* easily delegate the ability to create and edit user accounts
without giving admin rights in AD. However, if I were you, my greater area
of concern would be that you're making AD publicly accessible. For this, you
should really consider using an entirely separate forest from your
production environment. If you need to synchronize information between the
two forests, this is also fairly easy to manage with ADSI or tools such as

Regardless, you should not be giving administrative rights to accomplish
what you're asking about; it's neither necessary nor wise. Delegate creation
and modification of user objects in AD, use a separate forest, and don't
give admin rights. :-)

Laura A. Robinson
----- Original Message -----
From: "Derek T" <>
To: <>
Sent: Thursday, November 08, 2001 12:10 PM
Subject: Creating/editing user accounts

> A quick question about AD and web enabled services.
> The company I work for is trying to offer the ability to open and
> accounts from the Web ( kind of like Yahoo or Hotmail). The problem lies
> the choice to use AD on the segmented network. With AD the only ID with
> rights to create and edit user accounts are sys-admins, something that you
> can not allow anonymous web browsers to assume. Also this will be a branch
> off the main corporate network, ( in it's own DMZ) to allow customer
> reps to access and work with the same data from the main tree. Any ideas
> how can this be accomplished and kept secure, or is it a pipe dream?
> Also in the event that a process is given the Sys-admin rights instead of
> user, what potential security implications does this pose? It seems as if
> almost every discussion of a new vulnerability starts with " You see,
> was this process running with administrator rights...." =)
> Thanks for the insights
> D True
> "If debugging is the process of removing software bugs, then programming
> must be the process of putting them in."- L. Owando
> _________________________________________________________________
> Get your FREE download of MSN Explorer at