Account Management

From: Diab Hitti (DHitti@rocktenn.com)
Date: 01/02/03

Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #120"

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 2 Jan 2003 15:04:46 -0500
From: "Diab Hitti" <DHitti@rocktenn.com>
To: <focus-ms@securityfocus.com>

Want to throw this one out there, hopefully to avoid re-creating the Wheel.
Objective: Use Windows 2000 SP 3 AD delegation to allow Helpdesk Engineers administrative functions with leased privileges in getting the task done.
Task: To disable an Active User account and to move the account out from a Windows 2000 Security Group used as an E-mail DL to avoid NDR's.
As granular as AD Delegation appears to be, I was not successful in achieving the above Task, without granting unnecessary un-needed elevated privileges to the Helpdesk.
Has anyone been successful? Or Does anyone has written a web based VB script in allowing strict administrative functions? Or is there another method? Purchasing a third party solution is not an option.

Thanks

Next message: Marc Fossi: "SecurityFocus Microsoft Newsletter #120"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Propagating caller identity across applications from a bare ASMX Service method to a WSE3 Servic
... Directory Domain as the server computer and the server App Pool run-as ... Windows 2003 Server mode -- they may be in Windows 2000 mixed mode. ... to be configured so as to use kerberos delegation. ...
(microsoft.public.dotnet.framework.webservices.enhancements)
Re: What is a "service pack" basically?
... Yes, overall it is large, but Windows ... > 13) MIME header sniffing to avoid MIME header v extension mismatch ... The IE Information Bar will be a terrific addition that will make ...
(microsoft.public.security)
Re: "Account is trusted for delegation" is not shown
... Where SPN is the servicename/computername (MESSENGER/SERVERNAME for ... This will add the delegation tab to the useraccount you specified. ... account with the Setspn utility in the support tools on your CD. ... It should be caused by raising functional level to windows 2003. ...
(microsoft.public.windows.server.general)
Re: kerberos sudenly stop working on an IIS server
... D_DebugLogClient %wZ sent AS request with no server name\n") ... Windows XP and Windows Server 2003 will recover from this automatically. ... For information about setting up service accounts for delegation, ...
(microsoft.public.windows.server.active_directory)
RE: accessing WebService from asp.net App on load balanced Servers
... for intranet application within a windows domain ... For general info on ASP.NET delegation: ... Servers ... | | Subject: RE: accessing WebService from asp.net App on load balanced ...
(microsoft.public.dotnet.framework.aspnet.security)