RE: [ActiveDir] Logging on to a Domain Controller
Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -Original Message- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~ Because? -ASB - Original Message - From: Abbiss, Mark [EMAIL PROTECTED] Date: Mon, 13 Sep 2004 14:32:47 +0200 Subject: [ActiveDir] Logging on to a Domain Controller To: [EMAIL PROTECTED] [EMAIL PROTECTED] I am going round in circles and am now completely confused ! I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. I have applied a group policy to the Domain Controllers OU which sets the Computer configuration - windows settings - security settings - local policies - user rights assignment to give this group Log on locally rights. I have also ensured that the group policy is applied to all authorised users. I have no problem logging on as I am an Enterprise Admin, however, the other admins are denied the ability to log on. Therefore, I modified the local DC security settings to give the same group the Log on locally right. Still they cannot log on. Please, what could I be missing ? Do I need to set access rights anywhere else ? Can I do anything to troubleshoot what rights this group is getting ? Many thanks for any help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Logging on to a Domain Controller
The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -Original Message- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~ Because? -ASB - Original Message - From: Abbiss, Mark [EMAIL PROTECTED] Date: Mon, 13 Sep 2004 14:32:47 +0200 Subject: [ActiveDir] Logging on to a Domain Controller To: [EMAIL PROTECTED] [EMAIL PROTECTED] I am going round in circles and am now completely confused ! I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. I have applied a group policy to the Domain Controllers OU which sets the Computer configuration - windows settings - security settings - local policies - user rights assignment to give this group Log on locally rights. I have also ensured that the group policy is applied to all authorised users. I have no problem logging on as I am an Enterprise Admin, however, the other admins are denied the ability to log on. Therefore, I modified the local DC security settings to give the same group the Log on locally right. Still they cannot log on. Please, what could I be missing ? Do I need to set access rights anywhere else ? Can I do anything to troubleshoot what rights this group is getting ? Many thanks for any help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Logging on to a Domain Controller
Okay, as you were so helpful as to provide your reason for asking, so will I. We have two groups of administrators in our setup. There is Group 1, who can actually log on and make the necessary changes and there is Group 2, who should be able to log on and be able to look around, check running processes, check settings, etc, but have no ability to start installing/removing software or making other system changes. So I would like to be able to grant this second level of administrators the ability to log on to a domain controller but so far I have not been able to do it. I have followed various instructions but all to no avail. The message I see is saying You do not have access to log on to this session. So if anyone can suggest a way to allow me to set up a group with the ability to log on to DC's with a restricted set of rights, Iwould be eternally grateful. Many thanks in advance. Mark -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Dienstag, 14. September 2004 15:33 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -Original Message- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~ Because? -ASB - Original Message - From: Abbiss, Mark [EMAIL PROTECTED] Date: Mon, 13 Sep 2004 14:32:47 +0200 Subject: [ActiveDir] Logging on to a Domain Controller To: [EMAIL PROTECTED] [EMAIL PROTECTED] I am going round in circles and am now completely confused ! I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. I have applied a group policy to the Domain Controllers OU which sets the Computer configuration - windows settings - security settings - local policies - user rights assignment to give this group Log on locally rights. I have also ensured that the group policy is applied to all authorised users. I have no problem logging on as I am an Enterprise Admin, however, the other admins are denied the ability to log on. Therefore, I modified the local DC security settings to give the same group the Log on locally right. Still they cannot log on. Please, what could I be missing ? Do I need to set access rights anywhere else ? Can I do anything to troubleshoot what rights this group is getting ? Many thanks for any help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Logging on to a Domain Controller
Hi Mark In the default domain controller group policy check the allow logon local / allow logon terminal (are they accessing the box using the local console or via remote desktop?). Also check the deny logon local and deny logon terminal. Those four settings should override anything that is set elsewhere in GPO or local settings. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Abbiss, Mark | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 09/14/2004 04:22 PM ZE2| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Logging on to a Domain Controller | --| Okay, as you were so helpful as to provide your reason for asking, so will I. We have two groups of administrators in our setup. There is Group 1, who can actually log on and make the necessary changes and there is Group 2, who should be able to log on and be able to look around, check running processes, check settings, etc, but have no ability to start installing/removing software or making other system changes. So I would like to be able to grant this second level of administrators the ability to log on to a domain controller but so far I have not been able to do it. I have followed various instructions but all to no avail. The message I see is saying You do not have access to log on to this session. So if anyone can suggest a way to allow me to set up a group with the ability to log on to DC's with a restricted set of rights, Iwould be eternally grateful. Many thanks in advance. Mark -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Dienstag, 14. September 2004 15:33 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -Original Message- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~ Because? -ASB - Original Message - From: Abbiss, Mark [EMAIL PROTECTED] Date: Mon, 13 Sep
RE: [ActiveDir] Logging on to a Domain Controller
*CONFIDENTIALITY NOTICE* This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system. ** Hi Mark, If they are using terminal services, you might also check the Terminal Services Configuration RDP-Tcp permissions. I believe by default it is only Administrator and System that have access. JJ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 14, 2004 7:50 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller Hi Mark In the default domain controller group policy check the allow logon local / allow logon terminal (are they accessing the box using the local console or via remote desktop?). Also check the deny logon local and deny logon terminal. Those four settings should override anything that is set elsewhere in GPO or local settings. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Abbiss, Mark | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 09/14/2004 04:22 PM ZE2| | | Please respond to | | | ActiveDir | |-+-- --- ---| | | | To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Logging on to a Domain Controller | --- ---| Okay, as you were so helpful as to provide your reason for asking, so will I. We have two groups of administrators in our setup. There is Group 1, who can actually log on and make the necessary changes and there is Group 2, who should be able to log on and be able to look around, check running processes, check settings, etc, but have no ability to start installing/removing software or making other system changes. So I would like to be able to grant this second level of administrators the ability to log on to a domain controller but so far I have not been able to do it. I have followed various instructions but all to no avail. The message I see is saying You do not have access to log on to this session. So if anyone can suggest a way to allow me to set up a group with the ability to log on to DC's with a restricted set of rights, Iwould be eternally grateful. Many thanks in advance. Mark -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Dienstag, 14. September 2004 15:33 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE:
RE: [ActiveDir] Logging on to a Domain Controller
I'm going to drift a little bit off topic, but I suspect this is pertinent. While this strategy is technically correct, let's not fool ourselves. Physical access to the DC are the keys to the kingdom, not interactive logon rights. If I can touch the system I'm just a few downloads away from starting to hack the database. There are so many aspects to securing AD, and this is rule number one. So having said that, I think a better approach to these situations is to ask 'what do I really want to accomplish?' rather than simply 'how do I do X or Y?' From Mark's response, granting folks the ability to 'look around' as he put it, there are much better approaches to accomplishing what I am assuming is his goal of letting people monitor the server (if the goal is different then the solution is probably different). You can certainly monitor many of the things outlined in Mark's reply using remote tools that require neither an interactive session nor physical access - checking settings and runing services can all be done (perhaps with a touch of creaticity) using MOM or Spotlight or a host of other methods. Anyhow, don't want to get too far into the weeds, but in my opinion, physical access is just as if not more important than interactive or local logons. Solve the problem, not the single technical point, and you're probably better off. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, September 14, 2004 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -Original Message- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~ Because? -ASB - Original Message - From: Abbiss, Mark [EMAIL PROTECTED] Date: Mon, 13 Sep 2004 14:32:47 +0200 Subject: [ActiveDir] Logging on to a Domain Controller To: [EMAIL PROTECTED] [EMAIL PROTECTED] I am going round in circles and am now completely confused ! I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. I have applied a group policy to the Domain Controllers OU which sets the Computer configuration - windows settings - security settings - local policies - user rights assignment to give this group Log on locally rights. I have also ensured that the group policy is applied to all authorised users. I have no problem logging on as I am an Enterprise Admin, however, the other admins are denied the ability to log on. Therefore, I modified the local DC security settings to give the same group the Log on locally right. Still they cannot log on. Please, what could I be missing ? Do I need to set access rights anywhere else ? Can I do anything to troubleshoot what rights this group is getting ? Many thanks for any help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Logging on to a Domain Controller
That would be your RDP permissions most likely. By default only administrators can log into a server that doesn't have app mode TS enabled. Look in Terminal Services Configuration. Just the same, I don't think it is the greatest approach. There really shouldn't be a lot of need to look around like that. Good monitoring, consistent system builds, and familiarity with the environment / good documentation should make it unnecessary. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 10:23 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Okay, as you were so helpful as to provide your reason for asking, so will I. We have two groups of administrators in our setup. There is Group 1, who can actually log on and make the necessary changes and there is Group 2, who should be able to log on and be able to look around, check running processes, check settings, etc, but have no ability to start installing/removing software or making other system changes. So I would like to be able to grant this second level of administrators the ability to log on to a domain controller but so far I have not been able to do it. I have followed various instructions but all to no avail. The message I see is saying You do not have access to log on to this session. So if anyone can suggest a way to allow me to set up a group with the ability to log on to DC's with a restricted set of rights, Iwould be eternally grateful. Many thanks in advance. Mark -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Dienstag, 14. September 2004 15:33 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -Original Message- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~ Because? -ASB - Original Message - From: Abbiss, Mark [EMAIL PROTECTED] Date: Mon, 13 Sep 2004 14:32:47 +0200 Subject: [ActiveDir] Logging on to a Domain Controller To: [EMAIL PROTECTED] [EMAIL PROTECTED] I am going round in circles and am now completely confused ! I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. I have applied a group policy to the Domain Controllers OU which sets the Computer configuration - windows settings - security settings - local policies - user rights assignment to give this group Log on locally rights. I have also ensured that the group policy is applied to all authorised users. I have no problem logging on as I am an Enterprise Admin, however, the other admins are denied the ability to log on. Therefore, I modified the local DC security settings to give the same group the Log on locally right. Still they cannot log on. Please, what could I be missing ? Do I need to set access rights anywhere else ? Can I do anything to troubleshoot what rights this group is getting ? Many thanks for any help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Logging on to a Domain Controller
Absolutely. Physical access means you own the box, no realistic large scale way around it. It is one of the fundamental security rules with MS products at the moment. With one maybe two downloads and the machine going offline you now have at least Domain Admin rights. If you have locked down interactive access though, you can watch closely for logons and such as well as watch closely for outages, particularly down events where the machine knows it went down and has been restarted and it isn't something scheduled through the DAs. Giving someone interactive rights makes it a little less easy to monitor for things that shouldn't be happening on the machines. That is my opinion though, I am huge on not doing things from servers themselves, that is what the remote admin functionality is all about. There are times when it is difficult or impossible to not do something from the console or from TS such as boxes that are in secure networks with only a port or two open to them. At that point, it is tough to do anything else unless you go the SSH way. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Tuesday, September 14, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller I'm going to drift a little bit off topic, but I suspect this is pertinent. While this strategy is technically correct, let's not fool ourselves. Physical access to the DC are the keys to the kingdom, not interactive logon rights. If I can touch the system I'm just a few downloads away from starting to hack the database. There are so many aspects to securing AD, and this is rule number one. So having said that, I think a better approach to these situations is to ask 'what do I really want to accomplish?' rather than simply 'how do I do X or Y?' From Mark's response, granting folks the ability to 'look around' as he put it, there are much better approaches to accomplishing what I am assuming is his goal of letting people monitor the server (if the goal is different then the solution is probably different). You can certainly monitor many of the things outlined in Mark's reply using remote tools that require neither an interactive session nor physical access - checking settings and runing services can all be done (perhaps with a touch of creaticity) using MOM or Spotlight or a host of other methods. Anyhow, don't want to get too far into the weeds, but in my opinion, physical access is just as if not more important than interactive or local logons. Solve the problem, not the single technical point, and you're probably better off. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, September 14, 2004 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -Original Message- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~ Because? -ASB - Original Message - From: Abbiss, Mark [EMAIL PROTECTED] Date: Mon, 13 Sep 2004 14:32:47 +0200 Subject: [ActiveDir]
RE: [ActiveDir] Logging on to a Domain Controller
We're singing from the same hymnal. You make what I think is an excellent point: when you cannot absolutely control physical access, monitoring from some other box (with alerting) becomes even more important. So in Mark's case, where he presumably has a highly distributed infrastructure, keeping track of what's going on remotely is doubly important. (I'll quiet down and go back to lurking now) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, September 14, 2004 11:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller Absolutely. Physical access means you own the box, no realistic large scale way around it. It is one of the fundamental security rules with MS products at the moment. With one maybe two downloads and the machine going offline you now have at least Domain Admin rights. If you have locked down interactive access though, you can watch closely for logons and such as well as watch closely for outages, particularly down events where the machine knows it went down and has been restarted and it isn't something scheduled through the DAs. Giving someone interactive rights makes it a little less easy to monitor for things that shouldn't be happening on the machines. That is my opinion though, I am huge on not doing things from servers themselves, that is what the remote admin functionality is all about. There are times when it is difficult or impossible to not do something from the console or from TS such as boxes that are in secure networks with only a port or two open to them. At that point, it is tough to do anything else unless you go the SSH way. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Boza Sent: Tuesday, September 14, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller I'm going to drift a little bit off topic, but I suspect this is pertinent. While this strategy is technically correct, let's not fool ourselves. Physical access to the DC are the keys to the kingdom, not interactive logon rights. If I can touch the system I'm just a few downloads away from starting to hack the database. There are so many aspects to securing AD, and this is rule number one. So having said that, I think a better approach to these situations is to ask 'what do I really want to accomplish?' rather than simply 'how do I do X or Y?' From Mark's response, granting folks the ability to 'look around' as he put it, there are much better approaches to accomplishing what I am assuming is his goal of letting people monitor the server (if the goal is different then the solution is probably different). You can certainly monitor many of the things outlined in Mark's reply using remote tools that require neither an interactive session nor physical access - checking settings and runing services can all be done (perhaps with a touch of creaticity) using MOM or Spotlight or a host of other methods. Anyhow, don't want to get too far into the weeds, but in my opinion, physical access is just as if not more important than interactive or local logons. Solve the problem, not the single technical point, and you're probably better off. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, September 14, 2004 9:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logging on to a Domain Controller The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's. Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Is it really important why
Re: [ActiveDir] Logging on to a Domain Controller
~ Is it really important why ? ~ Yes. Very, in fact. If we understand your goal, we may be able to help you reach that objective without negatively impacting your environment. If you'd prefer that we just let you cut out your spleen without asking why, we can oblige as well... -ASB On Tue, 14 Sep 2004 14:59:48 +0200, Abbiss, Mark [EMAIL PROTECTED] wrote: Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -Original Message- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~ Because? -ASB - Original Message - From: Abbiss, Mark [EMAIL PROTECTED] Date: Mon, 13 Sep 2004 14:32:47 +0200 Subject: [ActiveDir] Logging on to a Domain Controller To: [EMAIL PROTECTED] [EMAIL PROTECTED] I am going round in circles and am now completely confused ! I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. I have applied a group policy to the Domain Controllers OU which sets the Computer configuration - windows settings - security settings - local policies - user rights assignment to give this group Log on locally rights. I have also ensured that the group policy is applied to all authorised users. I have no problem logging on as I am an Enterprise Admin, however, the other admins are denied the ability to log on. Therefore, I modified the local DC security settings to give the same group the Log on locally right. Still they cannot log on. Please, what could I be missing ? Do I need to set access rights anywhere else ? Can I do anything to troubleshoot what rights this group is getting ? Many thanks for any help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] ADC question
We are running Exchange 55 in our domain. The root of the our forest (running exchange 2000,different domain) has an ADC that replicates the information from our Exchange 55 into the windows 2000 forest. The problem is we are trying to use AD for our phone list, so I have all the user info filled out. None of this information is in our exchange store. But when the ADC runs it over writes the information in AD. Is there a way to stop it from over writing the phone,contact,location,etc information in AD? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] ADC question
Jason, In the AD Connector's properties, you should be able to select specific fields on the From Exchange tab. I'm not sure if that includes the information you specify, but it might be worth a look. Good luck, Paul. - Original Message - From: Jason Benway [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 14, 2004 8:05 PM Subject: [ActiveDir] ADC question We are running Exchange 55 in our domain. The root of the our forest (running exchange 2000,different domain) has an ADC that replicates the information from our Exchange 55 into the windows 2000 forest. The problem is we are trying to use AD for our phone list, so I have all the user info filled out. None of this information is in our exchange store. But when the ADC runs it over writes the information in AD. Is there a way to stop it from over writing the phone,contact,location,etc information in AD? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADC question
Try changing the direction that initial replication happens to From Windows instead of From Exchange -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Tuesday, September 14, 2004 2:06 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] ADC question We are running Exchange 55 in our domain. The root of the our forest (running exchange 2000,different domain) has an ADC that replicates the information from our Exchange 55 into the windows 2000 forest. The problem is we are trying to use AD for our phone list, so I have all the user info filled out. None of this information is in our exchange store. But when the ADC runs it over writes the information in AD. Is there a way to stop it from over writing the phone,contact,location,etc information in AD? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] BMC Patrol to monitor AD?
All, Anybody out there using BMC Patrol to monitor your AD? Could you fire me an email, offline if you want, with opinions about how well it's doing? We were going to go with MOM but are now under direction to go with the AD KMs in Patrol (we already have Patrol in-house and don't yet have MOM) and are concerned that it's not up to the job. Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Group Policy Errors
You can't. --Brian -Original Message- From: Za Vue [mailto:[EMAIL PROTECTED] Sent: Tue 9/14/2004 3:37 PM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] Group Policy Errors Thought I ask before I go digging for the answer. Does any know how to change the Restrictions notice for group policy? Instead of the default notice I want to just say something simple like Access Denied. Thanks... List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat