Re: Creating/editing user accounts
From: Thor@HammerofGod.comDate: 11/09/01
- Previous message: Laura A. Robinson: "Re: Creating/editing user accounts"
- In reply to: Laura A. Robinson: "Re: Creating/editing user accounts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Thor@HammerofGod.com To: larobins@bellatlantic.net Message-Id: <5.1.0.14.0.20011108145157.00a8a1e8@192.168.3.190> Date: Thu, 08 Nov 2001 15:05:21 -0800 Subject: Re: Creating/editing user accounts
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 05:41 PM 11/8/2001 -0500, Laura A. Robinson wrote:
>As would I. By doing this, you could gain more fine-grained control of
>things such as requiring fields that would not necessarily be required by
>default without having to modify the schema; applying data validation rules;
>allowing a process to create the user object so that it would not be
>necessary to delegate permissions to do so directly to the web users; and
>even creating processes to approve the creation of the user objects before
>they were added to AD.
Indeed! I bet something like this would be great use of the application
pool's user context specification in IIS 6.0. You could build some COM
objects to securely enter data into a DB that was then parsed for default
business rules with a kick-out report for any follow-up that would need to
be done. That guy could check for "new record" extents to ensure that X
number of records could not be posted with Y time frame (something I
*always* do whenever I take untrusted user input and store it somewhere) or
something along those lines...
You could also ensure that the requests could only come from that box (or
cluster) and give it a key to match up with the process that actually has
the ability to create the accounts. Hmmm....
> It is
> simpler to remove that capability than it is to grant it, and setting it as
> a default allows users to add their machines in the event that they're
> running a scripted install, etc.
Well, it is already the default setting:
<docs snip>
This policy is valid only on domain controllers. By default, any
authenticated user has this right and can create up to ten computer
accounts in the domain.
Adding a computer account to the domain allows the computer to participate
in Active Directory based networking. For example, adding a workstation to
a domain allows that workstation to recognize accounts and groups that
exist in Active Directory.
</snip>
So that is why I always change the perms in my Domain Controller Policy to
yank that guy out of there!!
AD
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBO+sPsYhsmyD15h5gEQKBsACeKyuicLiRQVtmRWWUHKkIdrvg4V0AoO8Q
1RckbwC1KUXy4iuvkAnOFYpG
=1ZEE
-----END PGP SIGNATURE-----
- Previous message: Laura A. Robinson: "Re: Creating/editing user accounts"
- In reply to: Laura A. Robinson: "Re: Creating/editing user accounts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
