Re: Is complete access in a win 2003 domain a possibility?
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 10 May 2007 14:56:30 -0700
Hey Graphic Jazz, here are some factors to consider.
Administrators group does not have permissions lots of
places in AD, so unless an account is member in some
other group, like Domain Admins, that account will have
limited access in AD.
It is expected that an account may need to be member in
multiple groups, and grants to groups are somewhat laid
out in a logical fashion, for example, just because an account
is an Administrators member that does not mean that they
need to modify Exchange settings, and vice versa, one does
not expect that an Exchange admin will necessarily alway
need to be an admin of the DC servers or have Domain
Admin like capabilities across a domain context in AD.
The Administrator account might or might not be a member
in Domain Admins; it can be either way.
Setting via AdsiEdit permissions on AD objects may not
have the effect one thinks, and it can be harmful if care is
not taken. Very many places might not inherit from the top
as one might expect. People are best off not altering the
permissions on AD objects unless they carefully consider
and know what they are doing, that is, what side-effects
might result. Sometimes multiple settings need to be done
in combination; attempts to force things to inherit can wipe
out needed settings, etc. and messes can be intractible.
It sounds to me like you want an account that is in Domain
Admins (of your domain), is an Exchange admin, and if
Domain Admins is no longer in the domain's Administrators
group then an account that is also in Administrators.
You really are better off have special accounts for some
things rather than one that has everything, for example,
a special account that is in Enterprise Admins and/or Schema
Admins. Part of the reason is to limit accidents and part is to
keep the deeply essential more safe from impacts if an account
is compromised. In general, an account that has only the ability
to do the common, day to day stuff is what one should use day
in and day out.
Roger
"Graphic Jazz" <GraphicJazz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2037273F-0CF5-4CA6-AEC1-E8D41D3FFD5E@xxxxxxxxxxxxxxxx
I am an IT administrator of a very small company and was wondering if it
was
possible to create a security group to add my username to that has access
to
anything and everything. Just being a member of the administrators group
still seems to have denies for certain permissions. And if I create a
security group and set grants for everything in adsiedit it then allows
for
some permissions that the administrators group is denied but then denies
other permissions. Being 1 of the 2 people that administrate this company
I
figured it would be easier for us to have access to everything rather than
delegating specific permissions to each person.
.
- Prev by Date: Re: Restricting interactive login only to terminal services
- Next by Date: Re: 128 bit password
- Previous by thread: Re: Is complete access in a win 2003 domain a possibility?
- Next by thread: Restricting interactive login only to terminal services
- Index(es):
Relevant Pages
|
Loading
