[ActiveDir] Message Not Delivered

Wed, 20 Jul 2005 04:26:39 -0700 

-----------------------------------------------------------
Attention: Non-Delivery Report
-----------------------------------------------------------

This report is generated by the email server at:

       ivytech.edu

The message with subject:

       "RE: [ActiveDir] Delegation of privilege"

and attached to this report was not delivered to 
the following recipients:

Address: [EMAIL PROTECTED]
Reason:  554 5.5.2 No valid recipients (554)
--------------


--- Begin Message ---

I will read carefully all the docs. u forwaded me.

I just noticed that when I do a "whoami /all" command on my DC with my domain 
admin account (for example), i found this privilege:

SeChangeNotifyPrivilege  activate
SeImpersonatePrivilege   activate
SeCreateGlobalPrivilege  activate

I wonder if just giving a user these privileges, this user may have the same 
privilege .... but i thing it is a .... a naive thought :-)

I will rather read the secdefs.doc, Active Directory Delegation Best Practices 
document, and the delegwiz.inf

Thanks all for help.

Yann

-----Message d'origine-----
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Mark Parris
Envoyé : mardi 19 juillet 2005 15:12
À : ActiveDir.org
Objet : Re: [ActiveDir] Delegation of privilege

Search microsoft.com for secdefs.doc

The document is....

Default access control settings in Windows Server 2003

Mark
-----Original Message-----
From: "TIROA YANN" <[EMAIL PROTECTED]>
Date: Tue, 19 Jul 2005 15:03:40
To:<ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Delegation of privilege

Ok, Thanks Sakari and Dan for your answers :) 
 
I will test TWEAKUI for Windows XP. 
 
But in fact, my need is rather giving a user server op, or equivalent 
privilege, for only *one DC* and not the whole DCs of my Domain. 
 
Last question:  Where all the privileges are defined for built-in accounts ? 
are they in a .ini file or whatever ? 
Ex: domains admin have the right to do this action. I'd like to find where 
those privileges are declared.... in an special ACL, a file, a registry ?.... 
 
Thanks for Input :)
Yann
 
 De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme 
Envoyé : mardi 19 juillet 2005 08:47 À : ActiveDir@mail.activedir.org Objet : 
RE: [ActiveDir] Delegation of privilege

 
 
 
This may be a “rotten” answer or a perfect answer…  Check out TWEAKUI for 
Windows XP.  It’s ACCESS CONTROL section gives you “UI” ability to change very 
specific activities’ permissions, e.g. creating a share, etc.  You might try it 
(in a lab, first of course) as far as how it works on 2003 for the specific 
things you are trying to accomplish.  Because the Access Control will be server 
(in your case, DC) specific, it might just work.  I’ve NOT tried it… but I 
think it’d be worth a shot. 
 
 
 
Dan
 
 
 
 
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Monday, July 18, 2005 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegation of privilege
 
 
 
Hi Yann,
 
 
 
You could grant your user those privileges that are listed as User Rights, by 
applying a corresponding Group Policy Object to only one DC. However, this is 
probably not enough for you. For example, you cannot grant a privilege to 
format hard drives or share folders this way.
 
 
 
Yours, Sakari
 
 
 
 
 
   
 
   
       
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]   On Behalf Of TIROA   YANN
Sent: Monday, July 18,   2005 8:39 PM
To:   ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegation of   privilege
   
   
   
Hello AD Gurus   :)
   
   
 
   
   
I would like to give to one   of my user "server operator" privilege on only 
one DC, and not the whole   DCs of my AD 2003.
   
   
I know that DCs do not   have sam locally, and the only way to give this 
privilege is to use the   Built-in Groups in the Built-in Container. But doing 
this allow my user   to be server op for all DCs in my domain.
   
   
 
   
   
The purpose of my question   is;
   
   
=> to give one user the   privilege to fully manage *only one*  DC  with 
"server   operator" privilege, without having the right to use MMCs such as 
ADUC,   Schema, dssite, replmon, repadmin commands.
   
   
 
   
   
Is this possible   ?
   
   
 
   
   
Thanks for   input.
   
   
 
   
   
Cheers,
   
   
 
   
   
Yann
   
   
 
   
   
   
 
[EMAIL PROTECTED]       šŠV«r¯yÊ&ý§-Š÷Š¾4™¨¥iËb½çb®Šà


--- End Message ---






















					Reply via email to