Re: Accessing c$ share in child domain

From: Stephen Pettitt (xxx_at_none.com)
Date: 12/19/03 

Date: Fri, 19 Dec 2003 07:15:54 +0000

Strictly speaking we do not need Enterprise Admins to be able to
administer these machines but we do need a single account that has
access to the admin shares on ALL machines in all domains. When
pushing out the LANDesk agent to PC you need to have access to the c$
share - Yes, we could just use a logon script so that the client
"pulls" the agent instead but this isn't the preferred method.

Regards,

Stephen.

On Thu, 18 Dec 2003 15:12:59 -0500, Paul Adare <padare@newsguy.com>
wrote:

>In article <Gq7WxwZxDHA.424@cpmsftngxa07.phx.gbl>, in the
>microsoft.public.win2000.security news group, Dale Weiss (MSFT)
><dweiss@online.microsoft.com> says...
>
>> The domains will need to be in native mode.
>>
>
>In addition to what Dale has written here, why do you feel the need for
>Enterprise Admins to be able to administer member servers and
>workstations? This is a violation of the principle of least privilege.
>If you're administering member servers and workstations, you do not need
>the rights and permissions that are granted to members of the Enterprise
>Admins group, and therefore should not be using accounts that belong to
>that group.