Yann
Date: dim. 22/05/2005 16:26
À: TIROA YANN; Jorge de Almeida Pinto; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org '
Objet : RE: [ActiveDir] Adminsdholder Propertiy Qustion...
What I mentioned also applies to some other built-in
groups...
see also
http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html
#JORGE#
-----Original
Message-----
From: TIROA YANN
To: Jorge de Almeida Pinto;
[EMAIL PROTECTED];
ActiveDir@mail.activedir.org
Sent:
5/22/2005 3:56 PM
Subject: RE: [ActiveDir] Adminsdholder Propertiy
Qustion...
Hi Jorge,
WAAOOU ! Endeed i was not aware that
print operators group was able to
log on to my DCs and do task as reboot
!!!!!!
And yes,my DCs are also prints servers..... maybe it's not good
for
security... but it's hard to convince my direction to buy a server
ONLY
for printers purposes.....
So i'd better review the best security
practices as you suggested rather
than "playing" with the
adminsdhlder..
Thanks for your feedback.
;-)
Regards,
Yann
Cordialement,
Yann
TIROA
Centre de Ressources Informatique.
Campus Scientifique de la
DOUA.
Bât. Gabriel Lippmann - 2 ème étage - salle 238.
43, Bd du 11
Novembre 1918.
69622 Villeurbanne Cedex.
-----Message
d'origine-----
De : Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED]]
Envoyé
: dimanche 22 mai 2005 15:18
À : TIROA YANN;
'[EMAIL PROTECTED] ';
'ActiveDir@mail.activedir.org
'
Objet : RE: [ActiveDir] Adminsdholder Propertiy
Qustion...
Hi,
Have you seen "Delegated permissions are not
available and inheritance
is automatically disabled" (http://support.microsoft.com/?id=817433)
This
article describes how you can configure which default protected
groups are
protected or not by the adminsdholder object. Although
possible I do not
recommend it as there is more like I mention below.
You are using the
group "print operators" to manage printers, so this
means your DCs are also
print servers. Is this correct?
Are you aware that the admin that manages the
OU and its child objects
(has Full Control) can log on to your DCs?
That
admin can change the password of the user that is a member of the
print
operators. After that he can use that user's credentials to log on
to a
DC.
Why? By default print operators have ability to logon to DCs and do
some
stuff like shutting down the DC and load and unload device
drivers
(install printer drivers and others)
I'm not sure if you
already do it, but I recommend to distinguish
between normal user accounts
(to read mail, create documents, etc.) and
admin accounts (to do all kinds of
admin stuff). In my opinion each
admin should logon to their workstation
using their normal user account
and do admin tasks using the RUNAS option. It
is better however to have
a separate workstation (or TS or Citrix) (protected
like other servers)
to do admin tasks. Using his normal workstation the admin
user sets up a
terminal session using RDP or ICA to the ADMIN workstation and
does this
things
Cheers,
#JORGE#
-----Original
Message-----
From: [EMAIL PROTECTED]
To:
ActiveDir@mail.activedir.org
Sent: 5/22/2005 2:39 PM
Subject: [ActiveDir]
Adminsdholder Propertiy Qustion...
Hello ;-)
I had a strange issue
yesterday.
An administrator who has full control(ct) of his OU and the
child
objects, was not able to modify a user account properties or
password.
The security option of the user object shows that the admin was not
on
the user object acl: the inheritance case that allows the parents
to
apply to this object ...was disabled !!
After searching on the net, i
have found that the adminsdholder was
responsible for that. Endeed, user was
member of print operators and
thus is protected by adminsdholder throw his
membershhip of this
protected group.
So i enabled the inheritance on the
security option of the adminsdholder
attribute, wait for less than 1 hour
that PDCemulator "do his job", and
checked that user object has the
inheritance case activated: that's was
OK and delegated admin was enjoyed !
:-)
BUT, for my personnal interest, i think disabling the inheritance of
the
adminsdholder in not a good option dûe to security pruposes. So in
this
case, how can I just enabling inheritance of only this user acl
without
enabling it on the whole adminsdholder so the OU's admin have full ct
on
the user object.
I also would like the user to continue to be member of
the print
operators.
Thanks for your expert advices :o)
NB: do
not bother about my poor english writing and be indulgent
8-)
Regards,
Yann
List info : http://www.activedir.org/List.aspx
List
FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
This
e-mail and any attachment is for authorised use by the intended
recipient(s)
only. It may contain proprietary material, confidential
information and/or be
subject to legal privilege. It should not be
copied, disclosed to, retained
or used by, any other party. If you are
not an intended recipient then please
promptly delete this e-mail and
any attachment and all copies and inform the
sender. Thank you.
This e-mail and any attachment is for authorised use
by the intended recipient(s) only. It may contain proprietary material,
confidential information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank
you.