The debauchery! The reason I ask is that I go through this trial nearly every week. It's very tiring being the bad guy and having to explain myself over and over again to the ranks of technical folks through senior management.
Most of the folks that have been here awhile know my answer. The new fish, on the other hand, always have to test the water. There's still so much clean up to perform with keeping to least privilege models... and quite frankly our immaturity with a directory at the time we first planned it out. Growing pains... Anyway, I leave you with this funny little tidbit... "In any system there is an entity at the top, the Supreme Overlord who answers to no one. Depending on the system, this entity might be called "Mom" or "The Federal Government" or "God". Unix calls it Root; Windows calls it Administrator. Since the Supreme Overlord's power is unlimited, you must choose your Supreme Overlord wisely. If you don't like how your Supreme Overlord is behaving, your only recourse is overthrow. If you hire Darth Vader as your Supreme Overlord, no amount of Trustworthy Computing will save you." :m:dsm:cci:mvp -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, June 28, 2005 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Yes, I do. But, his question had nothing to do with "Is it right or not?" I count on joe to totally over-react to such things! :op But, just for the record, I don't condone in any way the overuse or the mismanagement of advanced privileges and rights for convenience in any way, shape or form. I, personally, prefer to see a 'role based' administration model in which the defined NEEDS (as compared to the whacked out wants of most technical people) are developed in conjunction with the Technical people doing the work and the Technical staff in one's Information Security dept. These roles would align with what technical staff do. I only NEED one or two Domain Admins. On the other hand, I need a bunch of people that can manage, add, modify users, groups and computers, but they still have to earn the privilege. Same goes with GPO, etc, etc, etc. Just because you can spell GPO doesn't mean I trust you to work on them. And, I am also a strong believer that if you can review event logs to determine health of machines from your desktop, then why do you RDP to servers? I'm also not going to give you the right to shut down systems just because you think you're making MY life easier. Wake me up... If it needs to be shut down, I'll do it. I also am a strong believer in change control and following procedure. But, if you've done none of the above - then why bother with Change Control or procedures? Both assume that there is a sequence of control built into your systems - which if you're not doing the above - isn't the case. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 3:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Now that we're beyond the technical specs... does anyone else cringe at the idea of granting domain admin privileges to satisfy local administrative rights privileges to machines? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Admins Group Membership Juan, You won't be able to add users from another domain to the Domain Admins group. The Domain Admins group is a global group, and rules for Globals Groups are that they can contain users from the domain in which the global group was created. By that rule, only users of Domain A may be members of the Domain Admins group of Domain A. However, IIRC, the Administrators group is a special group or a Domain Local group, and will allow the add of users from Domain B. Rick > > From: "Ibarra, Juan" <[EMAIL PROTECTED]> > Date: 2005/06/27 Mon AM 11:24:58 EDT > To: <ActiveDir@mail.activedir.org> > Subject: [ActiveDir] Domain Admins Group Membership > > Hi, > > > > I need to add certain users from domain B, Win 2000 Domain, to the > Domain Admins group of Domain A, Windows 2003 Domain. There is a two > way trust between the two domains; however, I don't seem to find the way > to do this. I am able to add users to shares but not the group. > > > How could I accomplish this? > > > > Thanks, > > Juan > > > > > > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
