e-From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Rocky HabeebSent: Monday, October 10, 2005 12:33 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] Modifying Domain Admins Administrators Group"Is
a tool like that something people would be willing
:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, October 10, 2005 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Define within reason.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky
, October 11, 2005 10:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
joe,
You know this is not possible. No one has your knowledge base! I mean no
one. You're in a class by yourself. You define the class, it's a little
bit like God
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
joe,
You know this is not possible. No one has your knowledge base! I mean
no one. You're in a class by yourself. You define the class, it's a
little bit like God. No one can touch you! Okay enough adulation.
Anyways, I
?
_
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Tuesday, October 11, 2005 12:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Rocky, you
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
interrupts the regularly scheduled program
You know joe is in a class by himself because he wasn't allowed to play with
the other kids, right? G
/interrupts the regularly scheduled program
FWIW
]
] On Behalf Of Rich MilburnSent: Tuesday, October 11, 2005 12:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Rocky, you should make the time to become familiar with a few of them,because if you do, you'll see how useful they can
Milburn
Sent: Tuesday, October 11, 2005 2:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Al wrote:
Oh, and email isn't what I would call a reliable method of
notification in that type of situation...
soap box mode It's nice to hear
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, October 10, 2005 4:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Define within reason.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED
, 2005 11:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Ah global won't have the issue with primary group since it used the NET*calls. However, it won't catch nesting that is disallowed in NT, thoseentries will be curiously absent because
Define within reason.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Monday, October 10, 2005 12:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Is a tool like
Sent: Friday, October 07, 2005 8:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
I am.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 07, 2005 10:20 PM
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, October 08, 2005 2:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
What about people who have those groups as a primary group? 30 seconds is a
long
comes into play... Fortunately we don't have that
problem
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, October 06, 2005 5:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
How
@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Both can be defeated.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, October 06, 2005 2:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE
Of David Cliffe
Sent: Thursday, October 06, 2005 10:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Hi joe...I've seen you make this reference in the past and can't
remember if you've elaborated on it as well (sorry for not searching -
feel
, October 07, 2005 4:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Care to elaborate on what you mean by defeated? Are you suggesting that
gpo's can be overridden by a local user w/o admin rights?
-Original Message-
From: [EMAIL
you were worried about
Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of joe
Sent: Fri 10/7/2005 6:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
You have to look at what the scripts and GPOs
I am.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 07, 2005 10:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Joe,
I actually thought you were
8:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
I am.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 07, 2005 10:20 PM
To: ActiveDir
We run a simple process that monitors the members of elevated privilege
groups. Any changes trigger a notification. Doesn't address the
prevention but will allow you to capture the occurrence and deal with it
appropriately.
Diane
-Original Message-
From: [EMAIL PROTECTED]
Limit the number of domain admins, audit user and group management and use MOM to alert you to changes to the group membership of the Domain Admins group. You could likely script that alerting as well if you don't use MOM.
Phil
On 10/6/05, Devan Pala [EMAIL PROTECTED] wrote:
Hi,We have about 7
Use a restricted group policy, or use of one Alain Lissor's (lissware.net)
scripts.
You can find info on either methods by searching through the archives of this
list, or you could use google ... ahem I meant msn search :)
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP -
respond J
Travis
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Thursday, October 06, 2005
2:16 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Modifying
Domain Admins Administrators Group
Limit the number of domain admins, audit user
I heard the second best answer to this when in Seattle chomping on a burger
with ~Eric, Brett, and Brian Desmond. Brian said and I sort of quote When
someone adds someone else to an admin group that they aren't supposed to, I
remove the person they added and the person who did it.
The best
Both can be defeated.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, October 06, 2005 2:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
Use a restricted
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
How does it work? Do you use LDAP to look at the membership? If so, you
probably have a whole in the implementation.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent
, October 06, 2005 2:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Modifying Domain Admins Administrators Group
We run a simple process that monitors the members of elevated privilege
groups. Any changes trigger a notification. Doesn't address the
prevention but will allow you
28 matches
Mail list logo