Re: Service accounts best practices

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 06/17/05

  • Next message: Ted: "RE: A system administrator has set poilices to prevent this installati" 
    Date: Fri, 17 Jun 2005 17:57:14 -0400

    It really doesn't do anything for you. They can simply give themselves the
    rights back.

    The only people who should have domain admin rights are the exact people doing
    domain admin work and it should be a very small group. I had three people as
    domain admins of a fortune 5 forest consisting of 250k users and about 400
    domain controllers globally distributed. No services had those rights, they were
    all delegated. 

    --
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Ferdie wrote:
> I need to be careful though.  The DB group teaches me nice things like SQL 
> queries.  I think if I just remove the right to log on locally to any box, 
> then that would reduce the vulnerability a little.  Its a small step for 
> now, but a huge step in breaking the comfort level.
> 
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message 
> news:%23ECPTKtcFHA.456@TK2MSFTNGP09.phx.gbl...
> 
>>Make them document exactly why they need domain admin. I have done this 
>>dance with several vendors. Generally they say that because they have no 
>>idea what their app needs nor why.
>>
>>   joe
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>Ferdie wrote:
>>
>>>Can someone point me to a guide to securing service accounts?  I have 
>>>some accounts that require Domain Admin rights (or so they say), but 
>>>don't need to log on locally.  I'd like to remove that right, so that 
>>>they don't use it to bypass the logical access control.  There might be 
>>>some other issues that come up, so I might need a guide.
>>>
>>>Thanks,
>>>Ferdie 
> 
> 
>
  • Next message: Ted: "RE: A system administrator has set poilices to prevent this installati"

    Relevant Pages

    • Re: Service accounts best practices
      ... guidance on granting admin accounts. ... >> The only people who should have domain admin rights are the exact people ... >> doing domain admin work and it should be a very small group. ... >>>>Joe Richards Microsoft MVP Windows Server Directory Services ...
      (microsoft.public.win2000.security)
    • Re: What permissions are needed to migrate SID?
      ... The user running ADMT must have Domain Admin rights in the source domain, ... he must have administrator rights on the machine running ADMT. ... One of my customer suggests that it would be best to delegate permissions ...
      (microsoft.public.windows.server.migration)
    • Re: Service accounts best practices
      ... > The only people who should have domain admin rights are the exact people ... > domain admin work and it should be a very small group. ... >>>Joe Richards Microsoft MVP Windows Server Directory Services ... >>>>Can someone point me to a guide to securing service accounts? ...
      (microsoft.public.win2000.security)
    • Re: Group Policy setting for restricting creation of local user accounts
      ... Domain Admin rights should not be ... There is really no way to prohibit a Domain Admin from doing what ... You could use a restricted group definintion in a GPO applied at an ... being able to create accounts on the computers. ...
      (microsoft.public.windows.group_policy)
    • Re: Domain Admin Server 2003
      ... I no longer have Domain Admin rights and I am not in a privileged group. ... account even though the Domain Admin rights have been taken away. ... >>I had delegated Full rights to my OU's and then was granted Domain Admin ...
      (microsoft.public.security)