Hey Guido, I should I have read this before responding... Note my post. I am not entirely positive you can actually really hide the built-in admin account from people. Non-built-in accounts this stuff would work for obviously as long as the adminSDHolder functionality was kept in mind.
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, July 22, 2004 4:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Rocky - this thread is actually quite incredible - you're wandering from user and group names and object types to NTFS permission and nesting objects into groups, over to discussing SIDs and friendly names, and now you're talking about the visibility of memberships of groups in AD ;-) Also, I don't know about your domain, but I never knew that there was an account called "Domain Admin" - by default, you should only have an "Administrator" account that is member of the "Domain Admins" group (and if this is the root, it would also be member of the "Enterprise Admins" and "Schema Admins" group)... Besides the Best Practise of renaming the default Adminstrator account (not group), it's also a good practise to take it out of the Schema Admins group (this group should be empty until you want to change anything in the schema - will prevent accidental schema extensions, e.g. by some crappy program or script) So, I'm not sure which is the part that's really most painful to you, but I guess you mainly want to hide any hints to the default Admin account in your domain as otherwise renaming them doesn't make any sense to you - is that about right? I think Deji already covered very well on how you shouldn't set ACLs for any user-account directly - you'll merely do so via groups and the account that has access to the (non-homeshare) resource won't be visible by looking at the ACLs of the machine. This includes administrative accounts. And if people see a group on an ACL (e.g. Domain Admins), you don't want them to be able to lookup who is a Domain Admin by checking the group-membership of that group - right again? This can also be resolved by setting the appropriate permissions on the respective AD OU which contains the groups (or any other objects) which you don't want your users to view. E.g. move your administrative accounts and the Domain Admins group to a separate OU in your domain and then remove the Read permissions for Authenticated Users on that OU - this will hinder them to browse to that OU and so they can't even try to open the group to see the content. You could also work with permissions on the groups themselves, but that's more and unnessesary work. If you don't even want your users to see the "special" OU, then you'll have to work with the List Object permission. LIST OBJECT is not active or visible in the ACL Editor by default. To activate (for whole AD forest) change the DSHeuristics property on the Directory Service object (cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=ForestRootDomain) to 001. The first two bits impact the ANR searching in AD, so don't change them without knowing what you want them to be. BTW, it's much easier to implement the strategy of a "special" OU (e.g. "Domain Operations"), when you have separate accounts for administrative users - i.e. they have another "normal" account for eMail etc. All adminsitrative accounts should be in this special OU. And thanks for the flowers in your previous mails - I'll send some of them to Deano ;-) Cheers, Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Thursday, July 22, 2004 9:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Okay, First off, yes the club's expensive. And rightly so, but, do you know what joe wanted to come to my little shop and point out to me exactly what I already know (which is "exactly how much I don't know already.")? "Now >HE< was expensive. Serves him right for getting fired. ;-O. No wait. He didn't get fired. Some of the |stupidest| people in the world (notice the absolute symbol) just let him walk! I'm telling you, that was about as smart as the Russians selling us Alaska for 7 million. I could not believe that. How smart do you have to be? Not as smart as joe, that much I know. Now, let me show you how much I don't know. ( I can explain why that is someday, if it comes to that). When I click (on my W2K boxes in my mixed mode W2K domain) on My Network Places > Entire Network > Directory > DNSDomainName it opens up my AD and everybody can see all the OUs. If I click on my Microsoft_Groups (OU which houses the native groups) I see every group. If I click on Domain Admins, I see the members. The same with all the other groups. How do I hide the memberships of these native MS groups? Thanks Deji (and all youse other guys!) RH __________________________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 2:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account You just prove that you are very confused about "membership"? Tony, Robbie, Guido, Gil, Roger, and Joe???? That's an expensive club. Can't afford the "membership" fee. Next thing I know, you'd be lumping me in with Dean :-P Seriously, let's back up a bit. Let's ask why you'd want to give permission to "Domain\Administrator" (the user), instead of "Domain\Domain Admins" (the group). Before you answer that, remember the basic principle "put users in group, give permission to group". You want to keep users from viewing membership in AD? Where are they viewing the membership from? In the "Local Users and Groups"? From the ACEs on files and folders? I ask because, if you have added ONLY groups instead of Users, the name of the users are not viewable in those places. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Rocky Habeeb Sent: Thu 7/22/2004 10:32 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Deji, You know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and of course joe, and all the other heavyweights), but, we're not confused on the accounts and their memberships. I just feel it's important to have the Domain Admin (the individual) as Full Control on everything. As such, its pointless to rename him because he can be seen. However, you might just convince me to try it if you will tell me how to keep Users from viewing membership in AD of the Microsoft native groups, like Domain Administrators. ;-) That might be enough for me to try it. RH _________________________________ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Deji Akomolafe Sent: Thursday, July 22, 2004 12:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account If you just remember the principle "put users in group, assign permission to group", then you'll remember that neither JohnDoe nor Administrator should show up anywhere in your ACL enumeration Rather, you ACL will look something like this: Computername\AdministratorS - F System - F etc, etc. You will NOT need to add the following to the ACL: ComputerName\Administrator (notice the missing "S") Domain Admins Domain\Administrator Why? First, because by adding Computername\AdministratorS in the first example, you have essentially taken care of the three in second example. "Domain\Administrator" is a member of "Domain Admins", which is a member of Computername\AdministratorS. Likewise, "ComputerName\Administrator" is a member of "Computername\AdministratorS". Then your fear about your users knowing the name of your Domain Admin account becomes non-existent (although this should have been of no concern in the first place). If anyone looks at the permission on an object, they won't see those 3 listed. Now, as to how your ACL "may" be messed up by an account rename. You need to remember that an account's name is not THE significant part when ACE/ACL are concerned. It's the account's SID, and this does NOT change, even after you've renamed an account. Your permissions will still persist through a rename. As to the problem you encountered after renaming a DA, I can only speculate that there was "something else" causing that. I ALWAYS rename my DAs. Been doing it for a while now without running into similar problem. Are you convinced yet? Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: Rocky Habeeb Sent: Thu 7/22/2004 8:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Renaming The Admin Account Rob, We set permissions on our Users PCs according to Trusted Systems Services Windows NT Security Guidelines developed for the NSA in 1999. We run in a moderate to severe lockdown. We open up NTFS permissions only as much as is needed for Users to operate. As such, any User can open up Windows Explorer and click Security and look at the Security NTFS permission structure of any file and folder on their PC. Maybe they can adjust it, maybe not. It depends on how we set it. If we rename the Domain Admin account to "JohnDoe" and then create a bogus account called "Administrator", obviously, when we go set permissions on a system, we are not going to select the "Administrator" account when we actually need the Domain Admin to have Full Control to that object. And I'm not going to select "JohnDoe" and grant him Full Control as that pretty much tells people where the Domain Admin account is. So what do you do? I need DAs to have FC. What do I select? How do I keep the User from immediately seeing where the DA account is. As far as testing it, forget it. Ten years ago, I renamed the DA account on a Windows NT 4.0 domain. I could not get back in. I had to rebuild the domain, albeit a small one of less than 100 Users, from scratch, and I swore I would never do it again. Now convince me to do it. RH ____________________________________________________________ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
