Re: Creating/editing user accounts

From: Thor@HammerofGod.com
Date: 11/08/01


From: Thor@HammerofGod.com
To: sigmafive@hotmail.com
Message-Id: <5.1.0.14.0.20011108120805.00adef68@192.168.3.190>
Date: Thu, 08 Nov 2001 12:10:30 -0800
Subject: Re: Creating/editing user accounts


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Right off the cuff, I would think it is risky, but do-able. You could
always have the anonymous account run in the context of a specific user
that you have delegated the account operator rights to for a specific
container that you would allow the user's to exist in. Then you would have
a bit of control over it.
AD

At 12:10 PM 11/8/2001 -0500, you wrote:
>A quick question about AD and web enabled services.
>
>The company I work for is trying to offer the ability to open and
>manipulate accounts from the Web ( kind of like Yahoo or Hotmail). The
>problem lies in the choice to use AD on the segmented network. With AD the
>only ID with the rights to create and edit user accounts are sys-admins,
>something that you can not allow anonymous web browsers to assume. Also
>this will be a branch off the main corporate network, ( in it's own DMZ)
>to allow customer service reps to access and work with the same data from
>the main tree. Any ideas on how can this be accomplished and kept secure,
>or is it a pipe dream?
>
>Also in the event that a process is given the Sys-admin rights instead of
>a user, what potential security implications does this pose? It seems as
>if almost every discussion of a new vulnerability starts with " You see,
>there was this process running with administrator rights...." =)
>
>
>Thanks for the insights
>
>D True
>
>
>"If debugging is the process of removing software bugs, then programming
>must be the process of putting them in."- L. Owando
>
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBO+rmtohsmyD15h5gEQLj8ACfeOqbnwIYkbfXA1miZbJAwyuKtuwAoKUg
R441cUtD1A18CGbXZweR8XBf
=KBYT
-----END PGP SIGNATURE-----



Relevant Pages

  • Re: UserAccountControl Attribute
    ... specific user objects (enabled user accounts) that appear to be missing those ... How can I view the attributes of the user objects in question? ... foreach (string parameter in Parameters) ...
    (microsoft.public.win2000.active_directory)
  • Re: Export/import of computer accounts
    ... DNS name of the domain: ... I create the same computer accounts which were in the Active ... I'm going to make a comparison with the user accounts. ... You can install Active Directory on another computer and specify that it is ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access 2003 application with MSDE backend connection error in
    ... I'm trying to create a connection using my deployed application. ... >> our internal network where the MSDE database is installed. ... >> the necessary user accounts to it. ...
    (microsoft.public.access.developers.toolkitode)
  • Re: User accounts gone help needes
    ... the existing install and registry are sufficiently damaged. ... If the accounts aren't listed, they weren't created and don't exist. ... The problem is I can not create any new user accounts. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: New business: many questions (mostly on topic...)
    ... I shall probably be leaving Entourage behind for Mail or Eudora. ... That's where you can manage your website, email accounts (via webmail ... or as an IMAP server), other user accounts, ... You also asked about Mac project management software. ...
    (uk.comp.sys.mac)