RE: [ActiveDir]

[Joe]

Title: RE: [ActiveDir]

1. If you trust them why don't you leave them there all the time? Being facetious here. If you have more than 3-4 domain admins you already have too many.

 

2. This is a good idea. Build a script to do this work. It doesn't require super magic to pull this one off. Heck if you have your servers in their own OU's you could use startup scripts for them, ditto for the PC's. Or you could use one script that figures out of the machine is a server or a client and then adds the appropriate group and put that in the domain policy startup script. I would have it avoid modifying DCs personally.

 

Most of your hotfixes and SP's can be set up to be easily installed remotely with a simple file copy and execution via rcmd or psexec. You should really look into that. When we need quick patches out there I by myself can usually get most of my 400 or so servers done in about 6 hours and that is if I am going slow and testing the fixes along the way to make sure nothing weird is popping up. I do this simply using perl scripts to copy the files and launch the executables. If I was in a serious hurry and not worried about reboots dropping someone I could probably get them all done in an hour or maybe less depending on how badly I wanted it done and if I knew the patches didn't need verifying.

 

  joe

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jordan, Jason [EPM/AUS]
Sent: Thursday, December 04, 2003 11:14 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir]

We solved this problem is two ways depending on whether the machine being modified is a server or PC.

1.  When we have to patch the 250 servers in our datacenter and its going to be too much for the 6 of us administrators to handle in a reasonable amount of time, we bring in members of the helpdesk and add them to the Domain Admins domain group.  Of course we work with these guys enough to know that they can be trusted and we remove them as soon as we are done with the patching.  There is really no way around this, unless we were to follow something similar to option 2.

2.  All of our user's PCs have a domain group called TempPCAdmin that is added to the local Administrators group on the each PC.  We do not advertise the existence of this group to our users or the rest of the IT department.  99.999% of the time this domain group has no users in it.  When we need to give a helpdesk technician access to a PC, we just add their domain user to this domain group and when they are done we remove them.  This way we don't have to give out the local PC's administrator user's password and the technician has the power to do whatever they need to do.

Of course we could eliminate option 1 if we modified all of our servers to have something similar to option 2, but that can take a very long time to do without automated tools and if we had automated tools, then we would not be in the position of needing an option 1 anyways since we could automate patching as well.  :-)  Such is life when you work at a place that doesn't like to spend money.  >:-/

jasonjordan

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Oliver Marshall
Sent: Thursday, December 04, 2003 9:39 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]

No Joke. Its not the best, but then I am taking some assumptions;

1) If he is installing software on each machine individually then it isnt a big setup by any means

2) Adding one user to each machines admin groups could take a while and is a pain, even in small setups.

3) He has a backup admin account that he can use should any numpty change the admin account password

4) The chap in question can be trusted enough to do work on his own machines even if he cant be trusted with a generic password which is the same for all clients (!)

5) There is no other real way of doing this other than making him a member of one of the two admin groups (local or domain)

Based on these assumptions, I'm afraid I stand by my comment. Given the assumed setup I don't see it as too much of risk, and you can always revoke privelages afterwards

-----Original Message-----
From: Douglas M. Long [mailto:[EMAIL PROTECTED]]
Sent: 04 December 2003 15:32
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir]

I hope that last comment was a joke...as I wouldnt want a "user" to have domain admin rights. If you find a good solution for this, I would be suprised, as I have looked for a better solution than just adding the users domain account to the local admin group and cant find anything. I have been living with all "domain users" being members of their local machine admin group, and just hoping that they dont change the local admin user password. If all you are worried about is keeping the admin password so that you can get into the machine if you need...dont worry, there are always local machine administrator reset programs.

 

        -----Original Message-----
        From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Jerry Johnson
        Sent: Thursday, December 04, 2003 9:46 AM
        To: [EMAIL PROTECTED]
        Subject: [ActiveDir]
       
       

        Hi

        I have a user that needs to be able to install software on 2k and xp clients by visiting each desktop.

        All of our clients are setup with the same local admin password and do not want him to know that password.

        Is this possible?

        He is currently just a domain user.

        Thank you

        Jerry

        

        Scicom Data Services

        Minnetonka,Mn

        

        

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/