Re: Need limited domain admin rights user account.
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/21/05
- Previous message: Roger Abell: "Re: Grant Object Access"
- In reply to: Mike Bailey: "Re: Need limited domain admin rights user account."
- Next in thread: Roger Abell: "Re: Need limited domain admin rights user account."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 21 Aug 2005 07:56:46 -0700
I believe you are looking at the permission on the group object
when it is defined in AD.
This is different from the members in the group, and from the
memberships of the group in other groups.
What you are (apparently) looking at is the ACL that controls
who may access the group object in which ways. For example,
Domain Admins will have full control over the group while
plain users will normally have the ability to query the members
listing for the group, etc..
Exactly what ACL is assigned onto a newly defined group object
is impacted by the default SD that exists on the class for group
obects in the AD Schema, and also on where in AD the new group
object is being defined (ex. is it within an OU area where there has
been a delegation of the ability to manage memberships in groups).
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Mike Bailey" <mbailey@beaumontproducts.com> wrote in message news:uulIbaMpFHA.1044@tk2msftngp13.phx.gbl... > Roger Abell wrote: > > Sorry Mike, I was being brain-dead in saying there was a group for > > adding computers to domain, when I meant that there is a group policy > > setting for that, in the computer tree, local policy / user rights section > > named Add workstations to domain and into which you may add the > > groups whose members will be allow to do this. > > > > I believe that there was something else going on to cause the group > > change you see and are attributing to an action of the delegation wiz. > > Now, I am not sure what, but it would be first I have heard of that > > wiz altering groups rather than ACLs. > > > > I got to looking and every group in my domain all have the same security > settings apparently by "default." I don't know what created that > default, or if what I'm seeing is the "normal" default. It does seem > that the group I was working with using the delegate control wizard is > not in every group as I thought I saw - could have sworn it was there > though! Every group does have the following items listed in the security > tab. This includes any new groups that I cerate. Is this "normal?" > > Account Operators (domain_name\Account Operators) > Account Unknown(S-1-5-21-3423703923-74... > Administrators (domain_name\Administrators) > Authenticated Users > Domain Admins (domain_name\Domain Admins) > Enterprise Admins (domain_name\Enterprise Admins) > ENTERPRISE DOMAIN CONTROLLERS > Pre-Windows 2000 Compatible Access (domain_name\... > SELF > SYSTEM > Windows Authorization Access Group (domain_name\...
- Previous message: Roger Abell: "Re: Grant Object Access"
- In reply to: Mike Bailey: "Re: Need limited domain admin rights user account."
- Next in thread: Roger Abell: "Re: Need limited domain admin rights user account."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
