Re: Question for WinInstall customers

From: Andy (andrew_taylor_ihatespammcse@yahooihatespam.com)
Date: 07/04/02


From: "Andy" <andrew_taylor_ihatespammcse@yahooihatespam.com>
Date: Wed, 3 Jul 2002 20:32:49 -0500


Our Active Directory domain encompasses multiple business units (i.e.
multiple financial entities) throughout North America and Central America.
The Domain Admins group is used and managed by a separate business unit.
For security reasons, it just doesn't make sense to give that IT group,
which is located in another city and mostly outsourced, adminsitrative
access to every desktop PC on our campus. (They don't want the
responsibility for that type of access to our environment any more than we
want to give them that type of access.)

Management, membership, and ownership of the Domain Admins group is not up
for negotiation and most likely cannot be changed. In fact, it is possible,
even with a decent business case, that we will never even gain access to an
account in the Domain Admins group at all. The other business unit "owns"
the AD environment and manages all of the domain controllers; they merely
allow our institution to play there by giving us specific rights and
permissions to specific OUs within the domain. We could build our own AD
forest, but that introduces even more complications, since our Exchange
environment is already part of the existing, global AD forest.

Also, from a security point of view, if a service account is to be used
solely for deployment of desktop applications in our business unit only (the
different business units use different solutions in this area), it really
should not have adminstrative access to every domain controller in the
Americas, anyway. It seems strange to me that the appliation requires
Domain Admins membership to distribute desktop software. As long as it has
the appropriate access on the PCs where it will be installing software, I
don't understand why it should matter what group object is being used.
However, from what I'm hearing from the vendor, it appears that they are
relying on several default permissions and rights that are assigned by
default to the Domain Admins group object.

That last point is also problematic for us. Our AD environment has been
heavily tweaked by the global design team (which resides in Europe). Many
default permissions of the built-in objects have likely been altered. In
other words, even if we gain access to the coveted Domain Admins group
(which is unlikely), it may not have the rights and permissions we need,
anyway.

All of the aforementioned is why I need to know if anyone has ever
configured the rights and permissions required by WinInstall manually by
assigning them to an AD group or user object (as I described in my original
post). As I mentioned, the Veritas technical person seemed to think it was
possible. I need to find out if anyone has done it in the real world.

I realize that the above situation is not ideal, that the comapany business
units should work better together, etc., etc., etc., but the bottom line is
I need to figure out if this product can work in my existing environment
with the constraints I'm dealing with. WinInstall is in many ways a good
product, but if it cannot work in our environment, we'll have to start over
with something else.

Thanks,
Andy
.

"Bill Stewart" <bstewart@iname.no_spam.com> wrote in message
news:e9qU7DtICHA.1600@tkmsftngp12...
> "Andy" <andrew_ihatespamtaylor_mcse@yahooihatespam.com> wrote in message
> news:uz$HmorICHA.2052@tkmsftngp08...
>
> > Apparently the WinInstall documentation recommends using an account with
> > Domain Admins group membership for software distribution. Using the
Domain
> > Admins group for this purpose is not desirable in our environment for
several
> > reasons.
>
> What are the reasons? Perhaps that would help in obtaining a solution.
>
>



Relevant Pages

  • Re: Question for WinInstall customers
    ... > The Domain Admins group is used and managed by a separate business unit. ... > responsibility for that type of access to our environment any more than we ... > permissions to specific OUs within the domain. ...
    (microsoft.public.win2000.security)
  • Re: Permissions
    ... Exchange 2000 so am totally unfamiliar with the "M:\" drive, ... Susan Conkey [MVP] ... permissions and everywhere I came across the "Send as" ... ... if we make the users members of Domain Admins group. ...
    (microsoft.public.exchange2000.admin)
  • Re: Change access permissions for \myserverackup for webpart access
    ... users as email recipients of a copy of the daily performance report? ... > previous nights backup. ... > have to be in the Domain Admins group to view the page. ... > I have not been able to figure out where to change the permissions. ...
    (microsoft.public.windows.server.sbs)
  • Re: windows user permissions
    ... The domain admins group has a unique SID belonging to that specific domain, ... As a result it is futile to try to remove local admins from the permissions. ... different server, or on a DC. ...
    (microsoft.public.windows.server.security)
  • Error in Domain User Privileges Mapping
    ... network after joining the domain doesn't correctly map user ... I've checked to make sure the domain admins group is a part ... of the local administrators group and has appropriate file permissions ... I did this before joining the domain. ...
    (microsoft.public.windows.server.general)