Re: Reset Passwords, Account operators, Delegation - access denied
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Wed, 09 Aug 2006 22:53:16 -0400
Enjoy it. :)
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Tlan wrote:
AND i just bought your book.
On Tue, 08 Aug 2006 21:48:20 -0400, "Joe Richards [MVP]"
<humorexpress@xxxxxxxxxxx> wrote:
Remove everyone from the server operators and account operators groups. It is stupid to use them because both groups can usually just escalate themselves to domain admin level anyway if they know what they are doing.
Acc ops just gives rights that should be delegated in AD anyway and Serv Ops gives powers over DCs that no one except DAs should have. If you allow someone to monkey with the scheduler or services or system binaries they can do anything they want to the machine.
So once you have removed them from those groups, make sure that admincount is set to zero on all of them and then go into the ACLs and reapply inheritance.
BTW, this is all expected. It is called the AdminSDHolder functionality. It is designed to protect you. But again, the best protection is not to use those groups in the first place.
joe
- References:
- Reset Passwords, Account operators, Delegation - access denied
- From: Tlan
- Re: Reset Passwords, Account operators, Delegation - access denied
- From: Joe Richards [MVP]
- Re: Reset Passwords, Account operators, Delegation - access denied
- From: Tlan
- Reset Passwords, Account operators, Delegation - access denied
- Prev by Date: Allow app as user at child root read-only to all child AD objects
- Next by Date: Re: Allow app as user at child root read-only to all child AD objects
- Previous by thread: Re: Reset Passwords, Account operators, Delegation - access denied
- Next by thread: Buffer Overrun vs. Buffer Overflow
- Index(es):
Relevant Pages
|
