RE: Heres a weird one - customer wants to give domain admin rights to non domain admin group members.

2010-06-10 Thread Malcolm Reitz 
Group Policy Preferences will let you just add members to the local
Administrator group without disturbing the existing contents of that group.

 

-Malcolm

 

From: Graeme Carstairs [mailto:loonyto...@gmail.com] 
Sent: Thursday, June 10, 2010 11:14
To: NT System Admin Issues
Subject: Re: Heres a weird one - customer wants to give domain admin rights
to non domain admin group members.

 

I have used restricted groups before and would be not be keen to use them on
servers.

 

Further discussions with the client and he revealed it was a "hypothetical"
from HR as to whether or not it could be done.

 

Thanks for all the suggestions.

 

Graeme

 

On 10 June 2010 16:55, Alan Davies  wrote:

First - do not use Restricted Group on your servers without understanding
it.  You'll most likely strip out every service account in one quick step
and break your entire business!!

 

Second - yes, you can just create a domain group and have that added to
local Administrators groups on every server via GPO (could be a script,
could be Restricted Groups ... latter a better option, but see earlier
warning!).

 

However, if you're looking at a user and they're not a Domain Admin but
you're worried they could possibly have admin on servers or on AD services,
you're out of luck.  There are a million sneaky ways they could have added
themselves or a sneaky group to various ACLs on servers, in AD, in all sorts
of devious places.

 

If you're hugely concerned and they need to still have access for some time,
create a new account with no privs and have them use that once you've
disabled the other account.  It's the only way.  However .. if they know
service account passwords, etc., then they can get access back that way too
...

 

 

 

a

 

  _  

From: Graeme Carstairs [mailto:loonyto...@gmail.com] 

Sent: 10 June 2010 14:57


To: NT System Admin Issues

Subject: Re: Heres a weird one - customer wants to give domain admin rights
to non domain admin group members.

yeh thats what I thought. 

 

I think they are wanting to make sure that if someone had the admin account
they couldn't set themselves up with full domain admin rights, without
having the account in the domain admin and local admin groups.

 

Its a security check thing, i think they are preparing to remove someone or
someone is leaving who had domain admin rights on a second admin account and
want to be sure they haven't set anything else up.

 

Ill check the GPO's

 

Graeme

On 10 June 2010 14:52, James Rankin  wrote:

or do you mean have admin rights without belonging to the local
administrators group? You could easily give them all permissions and user
rights normally restricted to Administrators, but that would kind of defeat
the entire object of having the administrators group in the first place. 

 

On 10 June 2010 14:47, Graeme Carstairs  wrote:

I have been asked by a customer if on their 2003 AD domain it is possible
for someone to have admin rights to the servers and not be a member of
domain admins. 

 

and local admin groups on member servers.

 

Any one know if it can be done

 

Graeme



-- 
Good news everyone, you have just received and e-mail from me!

 

 




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

 

 




-- 
Good news everyone, you have just received and e-mail from me!

 

 




WARNING:

The information in this email and any attachments is confidential and may be
legally privileged.

 

If you are not the named addressee, you must not use, copy or disclose this
email (including any attachments) or the information in it save to the named
addressee nor take any action in reliance on it. If you receive this email
or any attachments in error, please notify the sender immediately and then
delete the same and any copies.

 

"CLS Services Ltd × Registered in England No 4132704 × Registered Office:
Exchange Tower × One Harbour Exchange Square × London E14 9GE"

 

 

 




-- 
Good news everyone, you have just received and e-mail from me!

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Heres a weird one - customer wants to give domain admin rights to non domain admin group members.

2010-06-10 Thread Graeme Carstairs 
I have used restricted groups before and would be not be keen to use them on
servers.

Further discussions with the client and he revealed it was a "hypothetical"
from HR as to whether or not it could be done.

Thanks for all the suggestions.

Graeme


On 10 June 2010 16:55, Alan Davies  wrote:

>  First - do not use Restricted Group on your servers without understanding
> it.  You'll most likely strip out every service account in one quick step
> and break your entire business!!
>
> Second - yes, you can just create a domain group and have that added to
> local Administrators groups on every server via GPO (could be a script,
> could be Restricted Groups ... latter a better option, but see earlier
> warning!).
>
> However, if you're looking at a user and they're not a Domain Admin but
> you're worried they could possibly have admin on servers or on AD services,
> you're out of luck.  There are a million sneaky ways they could have added
> themselves or a sneaky group to various ACLs on servers, in AD, in all sorts
> of devious places.
>
> If you're hugely concerned and they need to still have access for some
> time, create a new account with no privs and have them use that once you've
> disabled the other account.  It's the only way.  However .. if they know
> service account passwords, etc., then they can get access back that way too
> ...
>
>
>
> a
>
>  --
> *From:* Graeme Carstairs [mailto:loonyto...@gmail.com]
> *Sent:* 10 June 2010 14:57
>
> *To:* NT System Admin Issues
> *Subject:* Re: Heres a weird one - customer wants to give domain admin
> rights to non domain admin group members.
>
> yeh thats what I thought.
>
> I think they are wanting to make sure that if someone had the
> admin account they couldn't set themselves up with full domain admin rights,
> without having the account in the domain admin and local admin groups.
>
> Its a security check thing, i think they are preparing to remove someone or
> someone is leaving who had domain admin rights on a second admin account and
> want to be sure they haven't set anything else up.
>
> Ill check the GPO's
>
> Graeme
>
> On 10 June 2010 14:52, James Rankin  wrote:
>
>> or do you mean have admin rights without belonging to the local
>> administrators group? You could easily give them all permissions and user
>> rights normally restricted to Administrators, but that would kind of defeat
>> the entire object of having the administrators group in the first place.
>>
>>
>> On 10 June 2010 14:47, Graeme Carstairs  wrote:
>>
>>> I have been asked by a customer if on their 2003 AD domain it is possible
>>> for someone to have admin rights to the servers and not be a member of
>>> domain admins.
>>>
>>> and local admin groups on member servers.
>>>
>>> Any one know if it can be done
>>>
>>> Graeme
>>>
>>>
>>> --
>>> Good news everyone, you have just received and e-mail from me!
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
>> the machine wrong figures, will the right answers come out?' I am not able
>> rightly to apprehend the kind of confusion of ideas that could provoke such
>> a question."
>>
>>
>>
>>
>>
>>
>
>
> --
> Good news everyone, you have just received and e-mail from me!
>
>
>
>
>
>
> 
>
> WARNING:
>
> The information in this email and any attachments is confidential and may
> be legally privileged.
>
>
>
> If you are not the named addressee, you must not use, copy or disclose this
> email (including any attachments) or the information in it save to the named
> addressee nor take any action in reliance on it. If you receive this email
> or any attachments in error, please notify the sender immediately and then
> delete the same and any copies.
>
>
>
> "CLS Services Ltd × Registered in England No 4132704 × Registered Office:
> Exchange Tower × One Harbour Exchange Square × London E14 9GE"
>
>
>
>
>
>
>
>


-- 
Good news everyone, you have just received and e-mail from me!

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Heres a weird one - customer wants to give domain admin rights to non domain admin group members.

2010-06-10 Thread Alan Davies 
First - do not use Restricted Group on your servers without
understanding it.  You'll most likely strip out every service account in
one quick step and break your entire business!!
 
Second - yes, you can just create a domain group and have that added to
local Administrators groups on every server via GPO (could be a script,
could be Restricted Groups ... latter a better option, but see earlier
warning!).
 
However, if you're looking at a user and they're not a Domain Admin but
you're worried they could possibly have admin on servers or on AD
services, you're out of luck.  There are a million sneaky ways they
could have added themselves or a sneaky group to various ACLs on
servers, in AD, in all sorts of devious places.
 
If you're hugely concerned and they need to still have access for some
time, create a new account with no privs and have them use that once
you've disabled the other account.  It's the only way.  However .. if
they know service account passwords, etc., then they can get access back
that way too ...
 
 
 
a



From: Graeme Carstairs [mailto:loonyto...@gmail.com] 
Sent: 10 June 2010 14:57
To: NT System Admin Issues
Subject: Re: Heres a weird one - customer wants to give domain admin
rights to non domain admin group members.


yeh thats what I thought. 

I think they are wanting to make sure that if someone had the admin
account they couldn't set themselves up with full domain admin rights,
without having the account in the domain admin and local admin groups.

Its a security check thing, i think they are preparing to remove someone
or someone is leaving who had domain admin rights on a second admin
account and want to be sure they haven't set anything else up.

Ill check the GPO's

Graeme


On 10 June 2010 14:52, James Rankin  wrote:


or do you mean have admin rights without belonging to the local
administrators group? You could easily give them all permissions and
user rights normally restricted to Administrators, but that would kind
of defeat the entire object of having the administrators group in the
first place. 


On 10 June 2010 14:47, Graeme Carstairs 
wrote:


I have been asked by a customer if on their 2003 AD
domain it is possible for someone to have admin rights to the servers
and not be a member of domain admins. 

and local admin groups on member servers.

Any one know if it can be done

Graeme


-- 
Good news everyone, you have just received and e-mail
from me!


 



 




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you
put into the machine wrong figures, will the right answers come out?' I
am not able rightly to apprehend the kind of confusion of ideas that
could provoke such a question."



 



 






-- 
Good news everyone, you have just received and e-mail from me!


 

 



WARNING:
The information in this email and any attachments is confidential and may be 
legally privileged.

If you are not the named addressee, you must not use, copy or disclose this 
email (including any attachments) or the information in it save to the named 
addressee nor take any action in reliance on it. If you receive this email or 
any attachments in error, please notify the sender immediately and then delete 
the same and any copies.

"CLS Services Ltd × Registered in England No 4132704 × Registered Office: 
Exchange Tower × One Harbour Exchange Square × London E14 9GE"


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: Heres a weird one - customer wants to give domain admin rights to non domain admin group members.

2010-06-10 Thread Graeme Carstairs 
yeh thats what I thought.

I think they are wanting to make sure that if someone had the
admin account they couldn't set themselves up with full domain admin rights,
without having the account in the domain admin and local admin groups.

Its a security check thing, i think they are preparing to remove someone or
someone is leaving who had domain admin rights on a second admin account and
want to be sure they haven't set anything else up.

Ill check the GPO's

Graeme

On 10 June 2010 14:52, James Rankin  wrote:

> or do you mean have admin rights without belonging to the local
> administrators group? You could easily give them all permissions and user
> rights normally restricted to Administrators, but that would kind of defeat
> the entire object of having the administrators group in the first place.
>
>
> On 10 June 2010 14:47, Graeme Carstairs  wrote:
>
>> I have been asked by a customer if on their 2003 AD domain it is possible
>> for someone to have admin rights to the servers and not be a member of
>> domain admins.
>>
>> and local admin groups on member servers.
>>
>> Any one know if it can be done
>>
>> Graeme
>>
>>
>> --
>> Good news everyone, you have just received and e-mail from me!
>>
>>
>>
>>
>>
>>
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
>
>
>
>
>


-- 
Good news everyone, you have just received and e-mail from me!

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Heres a weird one - customer wants to give domain admin rights to non domain admin group members.

2010-06-10 Thread James Rankin 
or do you mean have admin rights without belonging to the local
administrators group? You could easily give them all permissions and user
rights normally restricted to Administrators, but that would kind of defeat
the entire object of having the administrators group in the first place.

On 10 June 2010 14:47, Graeme Carstairs  wrote:

> I have been asked by a customer if on their 2003 AD domain it is possible
> for someone to have admin rights to the servers and not be a member of
> domain admins.
>
> and local admin groups on member servers.
>
> Any one know if it can be done
>
> Graeme
>
>
> --
> Good news everyone, you have just received and e-mail from me!
>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Heres a weird one - customer wants to give domain admin rights to non domain admin group members.

2010-06-10 Thread James Rankin 
Easily, with restricted groups GPO. Just add another group to local
Administrators group on the target server(s). We do this for servers that
require some level of third-party support, although we keep their accounts
limited to certain date periods.

On 10 June 2010 14:47, Graeme Carstairs  wrote:

> I have been asked by a customer if on their 2003 AD domain it is possible
> for someone to have admin rights to the servers and not be a member of
> domain admins.
>
> and local admin groups on member servers.
>
> Any one know if it can be done
>
> Graeme
>
>
> --
> Good news everyone, you have just received and e-mail from me!
>
>
>
>
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Heres a weird one - customer wants to give domain admin rights to non domain admin group members.

2010-06-10 Thread Ziots, Edward 
Yes, 

 

Restricted Groups... Scope the GPO to the Location in AD in which the
servers reside ( Usually a Servers OU accordingly). They will be local
administrators on those servers but not a Domain Admin. 

 

Without knowing much else about the situation, Id even say that is way
too much rights, what is the functions that these non-domain admin group
members need to accomplish? 

 

Z

 

Edward Ziots

CISSP,MCSA,MCP+I,Security +,Network +,CCA

Network Engineer

Lifespan Organization

401-639-3505

ezi...@lifespan.org

 

From: Graeme Carstairs [mailto:loonyto...@gmail.com] 
Sent: Thursday, June 10, 2010 9:48 AM
To: NT System Admin Issues
Subject: Heres a weird one - customer wants to give domain admin rights
to non domain admin group members.

 

I have been asked by a customer if on their 2003 AD domain it is
possible for someone to have admin rights to the servers and not be a
member of domain admins.

 

and local admin groups on member servers.

 

Any one know if it can be done

 

Graeme



-- 
Good news everyone, you have just received and e-mail from me!

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~