Re: Question for WinInstall customers

From: Andy (
Date: 07/09/02

From: "Andy" <>
Date: Mon, 8 Jul 2002 18:00:55 -0500

[Cross-posting thread with replies from the Win2000 security newsgroup. My
apologies for the additional bandwidth.]

"Andy" <> wrote in message
> Our Active Directory domain encompasses multiple business units (i.e.
> multiple financial entities) throughout North America and Central America.
> The Domain Admins group is used and managed by a separate business unit.
> For security reasons, it just doesn't make sense to give that IT group,
> which is located in another city and mostly outsourced, adminsitrative
> access to every desktop PC on our campus. (They don't want the
> responsibility for that type of access to our environment any more than we
> want to give them that type of access.)
> Management, membership, and ownership of the Domain Admins group is not up
> for negotiation and most likely cannot be changed. In fact, it is
> even with a decent business case, that we will never even gain access to
> account in the Domain Admins group at all. The other business unit "owns"
> the AD environment and manages all of the domain controllers; they merely
> allow our institution to play there by giving us specific rights and
> permissions to specific OUs within the domain. We could build our own AD
> forest, but that introduces even more complications, since our Exchange
> environment is already part of the existing, global AD forest.
> Also, from a security point of view, if a service account is to be used
> solely for deployment of desktop applications in our business unit only
> different business units use different solutions in this area), it really
> should not have adminstrative access to every domain controller in the
> Americas, anyway. It seems strange to me that the appliation requires
> Domain Admins membership to distribute desktop software. As long as it
> the appropriate access on the PCs where it will be installing software, I
> don't understand why it should matter what group object is being used.
> However, from what I'm hearing from the vendor, it appears that they are
> relying on several default permissions and rights that are assigned by
> default to the Domain Admins group object.
> That last point is also problematic for us. Our AD environment has been
> heavily tweaked by the global design team (which resides in Europe). Many
> default permissions of the built-in objects have likely been altered. In
> other words, even if we gain access to the coveted Domain Admins group
> (which is unlikely), it may not have the rights and permissions we need,
> anyway.
> All of the aforementioned is why I need to know if anyone has ever
> configured the rights and permissions required by WinInstall manually by
> assigning them to an AD group or user object (as I described in my
> post). As I mentioned, the Veritas technical person seemed to think it
> possible. I need to find out if anyone has done it in the real world.
> I realize that the above situation is not ideal, that the comapany
> units should work better together, etc., etc., etc., but the bottom line
> I need to figure out if this product can work in my existing environment
> with the constraints I'm dealing with. WinInstall is in many ways a good
> product, but if it cannot work in our environment, we'll have to start
> with something else.
> Thanks,
> Andy
> .
> "Bill Stewart" <> wrote in message
> news:e9qU7DtICHA.1600@tkmsftngp12...
> > "Andy" <> wrote in message
> > news:uz$HmorICHA.2052@tkmsftngp08...
> >
> > > Apparently the WinInstall documentation recommends using an account
> > > Domain Admins group membership for software distribution. Using the
> Domain
> > > Admins group for this purpose is not desirable in our environment for
> several
> > > reasons.
> >
> > What are the reasons? Perhaps that would help in obtaining a solution.
> >
> >