Re: Need limited domain admin rights user account.
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/10/05
- Next message: Roger Abell: "Re: bypass traverse checking"
- Previous message: Billy: "Removing CA Objects from AD"
- In reply to: Mike Bailey: "Re: Need limited domain admin rights user account."
- Next in thread: Mike Bailey: "Re: Need limited domain admin rights user account."
- Reply: Mike Bailey: "Re: Need limited domain admin rights user account."
- Reply: Mike Bailey: "Re: Need limited domain admin rights user account."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Aug 2005 03:36:05 -0700
Part of what I was trying to say was to first, figure out what it is that
you do want the custom group to be able to do.
I guess you do in fact want these accounts to be able to do everything
except for "can't take ownership of folders, can't change security settings
on folders, can't change Administrator passwords"
I was thinking that you would have a shorter, and precise list of what
the account should be able to do, in which case one can work forward
toward filling those needs with grants and delegations.
Given what you have stated, I do not see a way to do that.
The first two of the three things that should not be possible I can
see how to take away from Administrators and instead grant only
to some new group SpecialAdmins that should keep the capabilities.
The second would be extremely labor filled to do.
The last however, not changing pwds of admins (but being able to
change pwd of other accounts) is not obtainable in local machines
when working backwards from Administrators.
Anyway, it is vitually certain that restricting Administrators will
result in some of those admins finding the ways to get around or
remove the restrictions.
You need to go the other direction and list all that you do want
the people to be able to do.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Mike Bailey" <mbailey@beaumontproducts.com> wrote in message news:%2365C8eQnFHA.3312@TK2MSFTNGP12.phx.gbl... > I basically understand what you are saying, but yet I don't understand it or > rather what to do. The last paragraph is also hard to understand from the > wording. Are you saying there to create a custom group that would be added > to each workstation with local administration rights? Part of my problem is > that I understand the concept of creating a group to give special > permissions, and then adding users into that group. I just don't know what, > or how to give most of the permissions that a Domain Admin would have. I > guess what would be nice is if someone could say "to create a super user > that can't take ownership of folders, can't change security settings on > folders, can't change Administrator passwords, here is what you would do..." > > Mike > > > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message > news:O5ElAsKnFHA.3988@TK2MSFTNGP10.phx.gbl... > > One does not "revoke" rights from a Domain Admin. > > One can try for some capabilities, but it will be imperfect and > > they can walk around it if they wanted. > > > > Rather, the way to go is to define what capabilities a person > > should have and then create an account with those grants of > > user rights, NTFS permissions, AD delegations, etc. > > The best way is to make the grants to a new custom group, and > > give the person(s) new accounts that are members of this group, > > in addition to their normal day-to-day use account. > > > > Maintaining a WkstnAdmin custom group as a member of the > > machine local administrators group should not be a problem. > > At least, if it is then keeping Domain Admins as members of > > the machine local Administrators group would likely also be. > > > > -- > > Roger Abell > > Microsoft MVP (Windows Security) > > MCSE (W2k3,W2k,Nt4) MCDBA > > "Mike Bailey" <mbailey@beaumontproducts.com> wrote in message > > news:ubZR9bEnFHA.3564@tk2msftngp13.phx.gbl... > >> I'm a new manager in my comapny and am "tighten" up some of the securtiy > >> here. The domain administrator username/password is used too freely here > >> and has not changed in years. I want to change that, but at the same > > time, > >> need to give one of my staff most of the privileges she has under the > >> administrator. What I *don't* want her to be able to do is take > >> ownership > >> of folders, or change the domain administrator password. In our office, > >> most users don't have local admins right to their pc's, so we log in as > > the > >> domain admin to make certain changes. She will still need this ability. > > I > >> thought about just creating another user it and adding it as a local > > admin - > >> but that's jsut something else to maintain one each machine. I'd rather > >> create a domain user that has the above restirictions, but still has > >> other > >> admin rights. > >> > >> Any suggestions on how to create this? > >> > >> Thanks, > >> Mike > >> > >> > > > > > >
- Next message: Roger Abell: "Re: bypass traverse checking"
- Previous message: Billy: "Removing CA Objects from AD"
- In reply to: Mike Bailey: "Re: Need limited domain admin rights user account."
- Next in thread: Mike Bailey: "Re: Need limited domain admin rights user account."
- Reply: Mike Bailey: "Re: Need limited domain admin rights user account."
- Reply: Mike Bailey: "Re: Need limited domain admin rights user account."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
