Re: Allowing a Domain User Admin Rights to a Couple of Domain Servers

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/01/05

• Next message: Roger Abell: "Re: Need to allow outsider to ONLY to edit IIS"
• Previous message: Ian: "Re: Ways of deploying antispyware?"
• In reply to: Matt Gibson: "Re: Allowing a Domain User Admin Rights to a Couple of Domain Servers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 1 Jul 2005 05:31:02 -0700

But that was just my point Matt.

If you are an Administrators memeber on the DCs you only have
admin powers on the DCs. You do not have power on member
servers or client machines. That is how Domain Admins group
is set up in the default group nesting into members' Administrators.

So, making the account a member of Adminsitrators does limit it
down quite a bit.

My reference that the account "could" be used to obtain DA (or
EA for that matter) was not meaning to say it was simple to do so.
When I said that is a staffing issue was because the person would
have to do some hacking and use other than standard tools and
management interfaces to effect the privilege elevation, but when
determined they could (and they would know that they are doing
a no no - no way it would be simple or by mistake).

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Matt Gibson" <mattg@blueedgetech.ca> wrote in message
news:u7BLWuYfFHA.3912@tk2msftngp13.phx.gbl...
> Roger,
>
> Thanks for clarifying what I was getting at.  Your last point is what I
was
> trying to say.
>
> If you're an Administrator on a domain controller, there really isn't
> anything you can't do to the domain.
>
> Matt Gibson - GSEC
>
> "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
> news:%23LH8BZXfFHA.3940@tk2msftngp13.phx.gbl...
> > Matt,
> >
> > Even on a DC a "full admin" as in member of Administrators is only
> > pretty much an admin of all DCs, but not of the network in the way
> > that Domain Admins members are in the default members of each
> > machine local Administrators group on the members of the domain.
> >
> > Now, an Administrators member on a DC would have little problem
> > in making themselves a Domain Admins member but that is a different,
> > personnel issue.
> >
> > -- 
> > Roger Abell
> > Microsoft MVP (Windows  Security)
> > MCSE (W2k3,W2k,Nt4)  MCDBA
> > "Matt Gibson" <mattg@blueedgetech.ca> wrote in message
> > news:OeiKBeSfFHA.3448@TK2MSFTNGP12.phx.gbl...
> >> Depends if these machines are domain controllers or not.
> >>
> >> If they're domain controllers, then you're pretty much out of luck.  A
> > full
> >> admin on a DC is basically an admin of the network.
> >>
> >> If they're not DCs, then you can just give his user (in AD) only logon
> >> rights to those two servers.
> >>
> >> Matt Gibson - GSEC
> >>
> >> <inteltech@gmail.com> wrote in message
> >> news:1120101232.707852.206150@g47g2000cwa.googlegroups.com...
> >> > Hello All
> >> >
> >> > I am looking for a little assistance...
> >> >
> >> > Within our company we have two servers that have a different
> >> > administrator to the rest of the network.
> >> >
> >> > Currently the administrator of these servers uses the domain
> >> > administrator username/password to perform his admin tasks on the
> >> > server, but has also been know to use this account for other
purposes.
> >> >
> >> > So what I would like to do, is provide him with an account that ONLY
> >> > has administrator rights on this two machines that he requires
> >> > administrator access too.
> >> >
> >> > Something like user account within Windows XP on the domain server
> >> > would do the trick...  but no!
> >> >
> >> > Does anyone have any ideas/advise for this?
> >> >
> >> > Thanks in advance
> >> >
> >> > David
> >> >
> >>
> >>
> >
> >
>
>

---

• Next message: Roger Abell: "Re: Need to allow outsider to ONLY to edit IIS"
• Previous message: Ian: "Re: Ways of deploying antispyware?"
• In reply to: Matt Gibson: "Re: Allowing a Domain User Admin Rights to a Couple of Domain Servers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Allowing a Domain User Admin Rights to a Couple of Domain Servers ... Even on a DC a "full admin" as in member of Administrators is only ... > rights to those two servers. ... >> administrator to the rest of the network. ... (microsoft.public.windows.server.security) Re: Alternative to Windows Explorer ... One drawback if you use that "runas" approach then you really won't know ... Administrator versus their using their actual account. ... admin, a variation of their normal account. ... > pen testing experience in our state of the art hacking lab. ... (Security-Basics) Re: Impact of removing administrative rights in an enterprise running XP ... The user probably had to be an administrator to get the virus in the ... You just apply the patch as an admin, ... Regardless, to speak more to the OP, yes, your support model will most ... Impact of removing administrative rights in an enterprise ... (Focus-Microsoft) Re: firewall on budget ? ... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ... (microsoft.public.windowsxp.security_admin) Re: Keep admins off of client machines ... The 'Domain Administrator' account is ... > administration person from the domain admin account is complex and fraught ... > change the Domain Administrator password. ... > it takes a thorough understanding of such priveleges to do so. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)