Re: Read-only access to AD, 2000, and 2003 server for monitoring?

"SVRSEC" <SVRSEC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:05B951EC-08D6-4FBA-A8B9-C0929D3642DD@xxxxxxxxxxxxxxxx
Let's assume that AD is tightened up a bit, I need to be able to see all
administrator accounts, and all information around them?

As far as the local accounts, our admins have added domain accounts to
local
groups, so I need to be able to read the same information locally?


Have you tried?
AD objects carry default grants to Authenticated Users such that
what you seems to be indicating as needed ("see all administrator
accounts" - what do you mean by that __exactly__ ?) can happen.
For machine local accounts, I feel I previously provided answer.
Roger

"Roger Abell [MVP]" wrote:

"SVRSEC" <SVRSEC@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:944CD526-A128-4074-AA89-76BF106AC415@xxxxxxxxxxxxxxxx
I need to know how, if possible, can you set up a user that can have
read
access to AD to be able to browse all Administrator level accounts, but
not
be able to modify AD in any fashion? The reason for this is to be able
to
have our security monitoring area be able to document and research any
Administrator level accounts anywhere in our AD.


If measures have not been taken to move your forest/domains away from
the as-installed settings, then any account in the forest can do that
(well,
I guess it depends on what "able to browse all Administrator level
accounts"
intends to mean. If it means list out accounts in the groups, then that
already
is possible from any standard account of the forest.)

I would also like to know if the same is possible for the local
accounts
for
both 2000 and 2003 AD members and standalone servers?

The account used would need to have Users group membership on the
machines. Also, login rights for the type of access to be used for the
examination, network access from the monitoring machine(s), etc..

Roger





.

Relevant Pages

  • Re: Administrator restricted - Control Panel Missing
    ... If you did not specifically set up Group Policy to restrict access to ... The command net users will display user accounts and net user username will ... type of administrator. ... the control panel was missing. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: installing games so other users can access and save their game
    ... YES BUT I BOOTED IN TO SAFE MODE AND SIGNED ON AS ADMINISTRATOR AND RESET ... ALL ACCOUNTS TO FULL RIGHTS ADMINISTRATOR AND THEN INSTALL WORKED FINE (IT ... ALL THE ACCOUNTS GET THE ERROR AGAIN THIS ERROR DOESN'T HAPPEN WITH ALL ... ALL ACCOUNTS ARE SUPPOSED TO HAVE PERMISSIONS OVER EVERYTHING ...
    (microsoft.public.games)
  • Re: password expiration policy for admin and system accounts ?
    ... > scheduled tasks that use various administrative accounts. ... > administrative account which starts several key exchange services. ... > Thus every time the exchange server was rebooted several exchange services ... >> JJ wrote:>>> Our auditors are objecting to our having Domain Administrator and domain>>> system accounts with passwords that never expire. ...
    (microsoft.public.security)
  • Re: password expiration policy for admin and system accounts ?
    ... > scheduled tasks that use various administrative accounts. ... > administrative account which starts several key exchange services. ... > Thus every time the exchange server was rebooted several exchange services ... >> JJ wrote:>>> Our auditors are objecting to our having Domain Administrator and domain>>> system accounts with passwords that never expire. ...
    (microsoft.public.win2000.security)
  • Re: Backup and reinstall - no server access
    ... >>>We have a Windows Server 2003 with a lost Administrator password. ... >>>Knoppix), plug in a USB hard disk, copy the files on the Windows ... > As for having two administrator accounts, ...
    (microsoft.public.win2000.setup)