RE: W2K Domain Selection

From: Massimo Ciscato (massimo.ciscato@europeloan.com)
Date: 01/14/02


From: Massimo Ciscato <massimo.ciscato@europeloan.com>
To: 'Fab Siciliano' <fsiciliano@optiumcorp.com>, Raoul Armfield <armfield@amnh.org>
Date: Mon, 14 Jan 2002 15:18:37 +0100

Guys, this thread is a bit confusing.
What kind of domain are you talking about? NT or 2000/ActiveDirectory?
I guess NT, since you talk only about one NT server.
In that case, is the NT server a PDC (Primary Domain Controller)? I guess
so.
If yes, have you registered your workstations in that domain?
In that case you can login on the domain, with the login you have created on
the PDC, and the user will have the privileges you grant him on the PDC
(regular user, power user, Domain Admin, etc.).
If you login on the local machine then things change.
Mind that the user on the domain and the one on the workstation are not the
same user!
For example if you have a domain called MYDOMAIN and a workstation called
WORKSTATION and one user called John, then the two users

 MYDOMAIN\John

and

 WORKSTATION\John

are two different users, each with his own set of rights.
Also, domain administrators have administrator rights on all machines, the
opposite is of course not true.
It gets more complex if you involve more domains which you want to trust.
I have had a few headaches about this stuff before, so if you need help just
drop me a mail with some more details about what you want to achieve.

Massimo

-----Original Message-----
From: Fab Siciliano [mailto:fsiciliano@optiumcorp.com]
Sent: Thursday, January 10, 2002 7:13 PM
To: Raoul Armfield
Cc: 'Andrew Jones'; 'David Giacchetta';
security-basics@securityfocus.com
Subject: RE: W2K Domain Selection

That probably depends on whether the 2 domains have a trust relationship
established. Then...the "admin" can have the same rights on both domains.

-Fab

On Wed, 9 Jan 2002, Raoul Armfield wrote:

> Do you mean least restrictive rights if so yes they take precedence
> however one domain is independent on rights on aother domain. For
> instance if on domain A you have admin rights and on domain B you
> have user rights, you cannot accomplish administrative tasks on
> Domain B eventhough you have admin rights on domain A.
>
> Raoul Armfield
>
>
> > -----Original Message-----
> > From: Andrew Jones [mailto:Andrew.Jones@meggitt.demon.co.uk]
> > Sent: Tuesday, January 08, 2002 12:27 PM
> > To: 'David Giacchetta'; security-basics@securityfocus.com
> > Subject: RE: W2K Domain Selection
> >
> >
> > would I be right in thinking that the lowest rights on a
> > domain take precedence, so, if you have lower rights on one
> > of your domains then they will take over any other rights.
> >
> > Just my $0.02
> >
> > Andrew Jones
> > Technical Advisor
> > Meggitt Petroleum Systems
> > Tel +44 (0)2476 697417 Ext. 40
> > Fax +44 (0)2476 418210
> > Andrew.Jones@meggitt.demon.co.uk
> >
> >
> > > -----Original Message-----
> > > From: David Giacchetta [SMTP:emouyon@yahoo.com.ar]
> > > Sent: Monday, January 07, 2002 2:05 PM
> > > To: security-basics@securityfocus.com
> > > Subject: W2K Domain Selection
> > >
> > > Hi Folks
> > >
> > > I ve seven domains in my wan, and also workstations are
> > w2k, the big
> > > question is this, WHY?? when i selected the local domain in the
> > > workstation, example.. (the domain of the machine), in the
> > login,,,,
> > > ALL the Rights works
> > > better, but if i selected another domain, ex... a domain
> > NT4 Server, the
> > > user dont get all yours right...
> > > If a user have a Administrator Right when are login in a
> > local domain, but
> > > when it login over a NT4 domain this user have a simple
> > right......?????
> > > Of course, the right over de network works good... the
> > problem is in the
> > > machine....
> > >
> > > Sincurely Yours
> > >
> > > Luciano
> > >
> > >
> > >
> > >
> > >
> > > _________________________________________________________
> > > Do You Yahoo!?
> > > Get your free @yahoo.com address at http://mail.yahoo.com
> >
>
>
> ----------------------------------------------------------------------
> gpg: Warning: using insecure memory!
> gpg: Signature made Wed 09 Jan 2002 01:18:27 PM EST using DSA key ID
8B9342DA
> gpg: Can't check signature: public key not found
> ----------------------------------------------------------------------
>

-- 
--
Fab Siciliano
Networks and Security
Optium Corporation
Tel.215.712.6200
Fax.215.712.7448
http://www.optiumcorp.com
--



Relevant Pages

  • Re: Power User on SBS - Administrator on client PC
    ... What you are seeing is actually other than normal behavior. ... One of the specific behaviors of the connect computer is to make the user whose name and password are supplied during connect computer a "local administrator" ... connecting a workstation to the server domain, ... rights even when domain rights are only Power User? ...
    (microsoft.public.windows.server.sbs)
  • Re: Registry hack to disable password change
    ... anyone with admin rights could go in and make the change back to ... someone is an administrator, they can do whatever they want to ... they have administrative rights on the computer - other than encryption - ...
    (microsoft.public.security)
  • Re: Weird Permissions Problem
    ... All my AD permissions work properly while in AD ... > them rights to. ... > running on a WORKSTATION they can do much, ... How have these users been assigned ADMIN rights to the local ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows Client and Server Security
    ... I am working as a System Administrator in ... > these Computers. ... > He thinks that we should give all the Users, Administrator rights. ... If you have badly-written software that requires local admin rights, ...
    (microsoft.public.win2000.security)
  • Power User on SBS - Administrator on client PC
    ... connecting a workstation to the server domain, ... rights even when domain rights are only Power User? ... only logon to the PC as administrator when full rights are needed? ...
    (microsoft.public.windows.server.sbs)