Cool, thanks for the info –
excellent as usual, joe. Dan From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe The docs are wrong. Many
of us have been hounding MS on this for years. They really started
straightening out docs with K3. Some of the older 2K docs still suggest this
security boundary at the domain. It really came to a head when Lucent put out a
paper on this and it started getting quoted in the newsgroups and some of us
just flamed the crap out of it. No one here or anywhere
should really publish how to exploit rights on a DC to take over a forest. The
answer is pretty self-evident if someone understands the underpinnings and
processes used in AD and since we can't fully protect against it, it
is better left undocumented. If there was a guaranteed safe way to protect
ourselves, then we could publish that workaround and some time later
publish the issue. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeStefano, Dan I thought that in ad
domains are considered security boundaries. In the cert exams, namely the
70-219, they are considered as such. Also, how would a domain admin of a child
domain elevate his privileges? Dan From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Even as a domain admin of a Child domain they will
still be able to munge your forest or elevate their priviledges. The security
boundary in AD is at the forest, not the domain. Phil On 9/22/05, Gideon Ashcraft <[EMAIL PROTECTED]> wrote:
The only thing to do is to make him an admin of that
site, or better yet make that site a child domain and make him a domain admin
of that child domain. I know from experience that using a DC as anything but a
DC is a freakin pain in the ass, my predecessor set a DC up as a print/file
server and another as a SQL server (finally able to demote that one now, soon
hopefully). But my citrix profiles are on the domain controller, and after
months of trying to set delegation up properly in AD and setting up permissions
in the appropriate folders on the DC, the only way I was able to get my
Helpdesk admin set up to create accounts with my scripts so that I didn't have
to do it was to make him a domain admin. My company is too damn cheap to get me
another server to put the citrix profiles somewhere else. Oh yeah, and its an
app server for network install of office (can you feel my pain). So, if there is only one server in the site and
its a DC, the only way to get him to do anything is to make him a domain admin
(make it a child domain so he can't climb up the tree) Gideon Ashcraft Network Admin Screen Actors Guild Look
through the archives. The
short answer is... "Just don't do it". You can't possibly secure this
regardless of what anyone says. If someone says it can be made safe, stop
asking them technical questions about Domain Controllers and Active Directory. Either
you trust the person or you don't. If you don't trust the person, then don't
put the person in a position to show you the meaning of screwed. From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of van Donk, Fred I have a contractor in a remote
site. There is only 1 server in that site which is a DC. He needs to administer that server. -Create shares -Make file/share permissions -Change user passwords in the User
OU for that site. He is not allowed to log on to any
other server is the domain. When I make him a "Server
Operator" he can logon to any server in the domain. Any idea on how to lock him down to
that one server and then how to lock him down on that one OU where he should
only be allowed to change the passwords of the users. Thanks! Fred List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
|
- RE: [ActiveDir] Domain Cont... Hutchins, Mike
- RE: [ActiveDir] Domain Cont... al_maurer
- RE: [ActiveDir] Domain... joe
- RE: [ActiveDir] Domain... Mark Parris
- RE: [ActiveDir] Domain Cont... Gil Kirkpatrick
- RE: [ActiveDir] Domain Cont... DeStefano, Dan
- RE: [ActiveDir] Domain Cont... DeStefano, Dan
- RE: [ActiveDir] Domain Cont... deji
- RE: [ActiveDir] Domain Cont... DeStefano, Dan
- RE: [ActiveDir] Domain Cont... Hutchins, Mike
- RE: [ActiveDir] Domain Cont... neil.ruston
- RE: [ActiveDir] Domain Cont... DeStefano, Dan
- RE: [ActiveDir] Domain... Brian Desmond
- Re: [ActiveDir] Do... Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: [ActiveDir] Domain... ASB
- Re: [ActiveDir] Do... James_Day
- RE: [ActiveDir] Domain Cont... Steve Linehan
- RE: [ActiveDir] Domain Cont... Bahta Nathaniel V Contr NASIC/SCNA