| Author | Messages | |
kurtbuff
Posts:169
 | | 06/09/2009 5:56 PM |
| In our small environment (250 users across three countries, 2 DAs, 2
desktop support staff in the US, and 1 desktop support person in each
foreign office) I took away the ability of the users to add *any*
machines to the domain, then delegated the Workstation OU to the
desktop support folks and gave them a script that joins the machine to
the domain and places it in the correct OU while doing so.
End users don't build machines that touch the production network -
they can do whatever they want in the test/dev network...
Kurt
On Tue, Jun 9, 2009 at 09:37, Leslie, Tyson
(Calgary)<Tyson.Leslie@worleyparsons.com> wrote:
> We suggested exactly that here, and the amount of overhead that it created
> (pre-creating all computer accounts) was deemed to be excessive.
> (Politics…) What we implemented instead was a GPO on the redirected
> Computers OU that forces a nag message to pop up every few minutes on the
> screen of every computer in the new default OU, informing them that their
> computer was in the wrong OU, and to call their local help desk. The
> message is only annoying - it doesn’t log them out, reboot, or do anything
> that might prevent a person from working; it just bugs them.
>
>
>
> That solved most of the problems.
>
>
>
> Cheers,
>
>
>
> Tyson.
>
>
>
>
>
> Regards,
>
>
>
> Tyson Leslie
>
> Systems Architect
> Group ICT Infrastructure and Architecture
>
> WorleyParsons
>
> Phone: +1 403 258 8153
> Fax: +1 403 258 5899
>
> Mobile: +1 403 861 3043
> Email: Tyson.Leslie@WorleyParsons.com
>
>
>
>
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Tony Gordon
> Sent: Monday, June 08, 2009 1:09 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
>
>
> Thanks Pat.
>
> That does seem to work and I am considering that course of action.
>
> Thank you, Tony.
>
> Tony Gordon
> Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
> Tel 847.295.5000 x37892 | Fax 847.883.7892
> tony dot gordon at hewitt dot tld
> P Please consider the environment before printing this e-mail.
>
> From:
>
> "Pat Goss" <gossp13@gmail.com>
>
> To:
>
> activedir@mail.activedir.org
>
> Date:
>
> 06/06/2009 09:40 AM
>
> Subject:
>
> Re: [ActiveDir] Domain Admins Access
>
> Sent by:
>
> activedir-owner@mail.activedir.org
>
>
>
> ________________________________
>
>
> Tony - I have run into that same problem, the solution we came up with was
> to set ms-DS-MachineAccountQuota attribute to 0. This forced everyone
> (except DA's) to pre-create a computer object prior to joining the computer
> to the domain. We then followed the same path of assigning computer ACLs on
> specific OU's. The only catch was training the Desktop Admins to remember
> to use their group when the pre-created computer object asked for delegation
> rights. Works like a charm though, only accounts that are in the AD first
> work, everyone else gets access denied.
>
> -pat
>
>
> On Mon, Jun 1, 2009 at 6:20 PM, Tony Gordon <Tony.Gordon@hewitt.com> wrote:
> I am looking for a way to let a specific group of people to join devices to
> the domain, but only to the list of Organizational Units that I want the
> devices to be reside in.
>
> Seemed simple. Grant the group rights to join workstations to the domain,
> delegate the appropriate tasks on the Organizational Units and you are good.
>
> Hit a little snag. At the first blush I am not able to restrict adding the
> computers to the default Organizational Unit (I have redirected cn=computers
> to an Organizational Unit).
>
> While there is no explicit permisions assigned to the group on that
> Organizational Unit a member of the group can successfully join computers
> into that default Organizational Unit. After removing Authenticated Users
> and Pre-win2000 group from the ACL I get an error that SPN could not have
> been written (even though neither both of them only had READ rights to begin
> with), but the computer object is still created.
>
> Is that something embedded in the code?
>
>
>
> Thank you, Tony.
>
> Tony Gordon
> Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
> ITS Infrastructure Engineering
> tony dot gordon at hewitt dot tld | www.hewitt.com
>
> ________________________________
>
> The information contained in this e-mail and any accompanying documents may
> contain information that is confidential or otherwise protected from
> disclosure. If you are not the intended recipient of this message, or if
> this message has been addressed to you in error, please immediately alert
> the sender by reply e-mail and then delete this message, including any
> attachments. Any dissemination, distribution or other use of the contents of
> this message by anyone other than the intended recipient is strictly
> prohibited. All messages sent to and from this e-mail address may be
> monitored as permitted by applicable law and regulations to ensure
> compliance with our internal policies and to protect our business. E-mails
> are not secure and cannot be guaranteed to be error free as they can be
> intercepted, amended, lost or destroyed, or contain viruses. You are deemed
> to have accepted these risks if you communicate with us by e-mail.
>
> ________________________________
>
> The information contained in this e-mail and any accompanying documents may
> contain information that is confidential or otherwise protected from
> disclosure. If you are not the intended recipient of this message, or if
> this message has been addressed to you in error, please immediately alert
> the sender by reply e-mail and then delete this message, including any
> attachments. Any dissemination, distribution or other use of the contents of
> this message by anyone other than the intended recipient is strictly
> prohibited. All messages sent to and from this e-mail address may be
> monitored as permitted by applicable law and regulations to ensure
> compliance with our internal policies and to protect our business. E-mails
> are not secure and cannot be guaranteed to be error free as they can be
> intercepted, amended, lost or destroyed, or contain viruses. You are deemed
> to have accepted these risks if you communicate with us by e-mail.
>
> *** WORLEYPARSONS GROUP NOTICE ***
> "This email is confidential. If you are not the intended recipient, you
> must not disclose or use the information contained in it.
> If you have received this email in error, please notify us immediately by
> return email and delete the email and any attachments.
> Any personal views or opinions expressed by the writer may not
> necessarily reflect the views or opinions of any company in the
> WorleyParsons Group of Companies."
>
| | | |
| TG
Posts:255
| | 06/10/2009 9:09 PM |
| I agree, object pre-creation would not be feasible in our environment
either. However, I was considering to allow people to join (we have a
number of server groups that are doing it currently), but not in the
default Organizational Unit (already re-directed with a nuisance policy).
The more I think about it the more it seems that the initial idea was not
that great to begin with. If I disallow them to join into the default
Organizational Unit, they will find a dumping ground somewhere else, where
they are allowed. Alternatively, I will be forced to manage a fairly
complicated set of permissions.
Hard to explain without drawing the Organizational Unit structure. Bottom
line, I will probably leave things be as they are. 
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
Tel 847.295.5000 x37892 | Fax 847.883.7892
P Please consider the environment before printing this e-mail.
From:
"Leslie, Tyson (Calgary)" <Tyson.Leslie@WorleyParsons.com>
To:
"activedir@mail.activedir.org" <activedir@mail.activedir.org>
Date:
06/09/2009 11:36 AM
Subject:
RE: [ActiveDir] Domain Admins Access
Sent by:
activedir-owner@mail.activedir.org
We suggested exactly that here, and the amount of overhead that it created
(pre-creating all computer accounts) was deemed to be excessive.
(Politics?) What we implemented instead was a GPO on the redirected
Computers OU that forces a nag message to pop up every few minutes on the
screen of every computer in the new default OU, informing them that their
computer was in the wrong OU, and to call their local help desk. The
message is only annoying - it doesn?t log them out, reboot, or do anything
that might prevent a person from working; it just bugs them.
That solved most of the problems.
Cheers,
Tyson.
Regards,
Tyson Leslie
Systems Architect
Group ICT Infrastructure and Architecture
WorleyParsons
Phone: +1 403 258 8153
Fax: +1 403 258 5899
Mobile: +1 403 861 3043
Email: Tyson.Leslie@WorleyParsons.com
From: activedir-owner@mail.activedir.org [
mailto:activedir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: Monday, June 08, 2009 1:09 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Thanks Pat.
That does seem to work and I am considering that course of action.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
Tel 847.295.5000 x37892 | Fax 847.883.7892
tony dot gordon at hewitt dot tld
P Please consider the environment before printing this e-mail.
From:
"Pat Goss" <gossp13@gmail.com>
To:
activedir@mail.activedir.org
Date:
06/06/2009 09:40 AM
Subject:
Re: [ActiveDir] Domain Admins Access
Sent by:
activedir-owner@mail.activedir.org
Tony - I have run into that same problem, the solution we came up with was
to set ms-DS-MachineAccountQuota attribute to 0. This forced everyone
(except DA's) to pre-create a computer object prior to joining the
computer to the domain. We then followed the same path of assigning
computer ACLs on specific OU's. The only catch was training the Desktop
Admins to remember to use their group when the pre-created computer object
asked for delegation rights. Works like a charm though, only accounts
that are in the AD first work, everyone else gets access denied.
-pat
On Mon, Jun 1, 2009 at 6:20 PM, Tony Gordon <Tony.Gordon@hewitt.com>
wrote:
I am looking for a way to let a specific group of people to join devices
to the domain, but only to the list of Organizational Units that I want
the devices to be reside in.
Seemed simple. Grant the group rights to join workstations to the domain,
delegate the appropriate tasks on the Organizational Units and you are
good.
Hit a little snag. At the first blush I am not able to restrict adding
the computers to the default Organizational Unit (I have redirected
cn=computers to an Organizational Unit).
While there is no explicit permisions assigned to the group on that
Organizational Unit a member of the group can successfully join computers
into that default Organizational Unit. After removing Authenticated Users
and Pre-win2000 group from the ACL I get an error that SPN could not have
been written (even though neither both of them only had READ rights to
begin with), but the computer object is still created.
Is that something embedded in the code?
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
tony dot gordon at hewitt dot tld | www.hewitt.com
The information contained in this e-mail and any accompanying documents
may contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately alert
the sender by reply e-mail and then delete this message, including any
attachments. Any dissemination, distribution or other use of the contents
of this message by anyone other than the intended recipient is strictly
prohibited. All messages sent to and from this e-mail address may be
monitored as permitted by applicable law and regulations to ensure
compliance with our internal policies and to protect our business. E-mails
are not secure and cannot be guaranteed to be error free as they can be
intercepted, amended, lost or destroyed, or contain viruses. You are
deemed to have accepted these risks if you communicate with us by e-mail.
The information contained in this e-mail and any accompanying documents
may contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately alert
the sender by reply e-mail and then delete this message, including any
attachments. Any dissemination, distribution or other use of the contents
of this message by anyone other than the intended recipient is strictly
prohibited. All messages sent to and from this e-mail address may be
monitored as permitted by applicable law and regulations to ensure
compliance with our internal policies and to protect our business. E-mails
are not secure and cannot be guaranteed to be error free as they can be
intercepted, amended, lost or destroyed, or contain viruses. You are
deemed to have accepted these risks if you communicate with us by e-mail.
*** WORLEYPARSONS GROUP NOTICE ***
"This email is confidential. If you are not the intended recipient, you
must not disclose or use the information contained in it.
If you have received this email in error, please notify us immediately by
return email and delete the email and any attachments.
Any personal views or opinions expressed by the writer may not
necessarily reflect the views or opinions of any company in the
WorleyParsons Group of Companies."
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
| | | |
| Patrick
Posts:18
| | 07/01/2009 3:45 PM |
| Thanks for all the options given so far, but it's been a tiring and vexing
issue!
I took the diplomatic road on this issue and it is working!
The mandate now is to cut down the domain admins to 3 or 4 possibly
Now my dilemma is how do I go forward getting products like Acronis (backup
software for our servers), and SharePoint to work by delegating
permissions?
( There are a few angry people in the department now that are not willing to
assist with this request)
regards
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
Sent: Tuesday, May 26, 2009 10:10 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Loopback logon script for your domain controllers. Just have it check
the UPN or sAMAccountName and force a log off as soon as they log on.
You could even present them with a nice popup saying, "Have a nice
day. Thanks for playing."
The logic is easy:
For Each admin in badAdmins
If admin = logonName Then ForceLogoff
Next
In reality, those that have responded so far are correct. It sounds
like your management and security personnel should be doing their jobs
better. However, I guess it all depends on the situation. Just keep
in mind Newton's laws of motion. Something like this could come back
and bite you in the arse.
Andrew J Healey
http://halfloaded.com
On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
> servers?
>
>
>
> I know this is a strange question but the reason is simple when your
looking
> at it from my perspective. I am responsible for DCs but other
administrators
> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
> wish.
>
>
>
> Regards
>
> Patrick
| | | |
| bdesmond
Posts:843
| | 07/01/2009 5:06 PM |
| Acronis is a disk imaging product and you're planning to use that to backup DCs?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: Wednesday, July 01, 2009 9:36 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
Thanks for all the options given so far, but it's been a tiring and vexing
issue!
I took the diplomatic road on this issue and it is working!
The mandate now is to cut down the domain admins to 3 or 4 possibly
Now my dilemma is how do I go forward getting products like Acronis (backup
software for our servers), and SharePoint to work by delegating
permissions?
( There are a few angry people in the department now that are not willing to
assist with this request)
regards
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
Sent: Tuesday, May 26, 2009 10:10 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Loopback logon script for your domain controllers. Just have it check
the UPN or sAMAccountName and force a log off as soon as they log on.
You could even present them with a nice popup saying, "Have a nice
day. Thanks for playing."
The logic is easy:
For Each admin in badAdmins
If admin = logonName Then ForceLogoff
Next
In reality, those that have responded so far are correct. It sounds
like your management and security personnel should be doing their jobs
better. However, I guess it all depends on the situation. Just keep
in mind Newton's laws of motion. Something like this could come back
and bite you in the arse.
Andrew J Healey
http://halfloaded.com
On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
> servers?
>
>
>
> I know this is a strange question but the reason is simple when your
looking
> at it from my perspective. I am responsible for DCs but other
administrators
> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
> wish.
>
>
>
> Regards
>
> Patrick
| | | |
| ZJORZ
Posts:282
| | 07/01/2009 9:14 PM |
| Brian is basically saying: ACRONIS IS NOT AD AWARE!
Met vriendelijke groeten / Kind regards,
Jorge de Almeida Pinto | Senior Technical Consultant | MVP IdA-DS | Oxford Computer Group BeNeLux
O: +31 (0)6 26.26.62.80 | :: +31 (0)70 36.21.627 | : +31 (0)70 36.21.677
:: Sweelinckplein 9 (Unit 11), 2517 GK, Den Haag, The Netherlands (Google Maps) (Live Maps)
www.oxfordcomputergroup.com | Expertise in Identity & Access Management
Registered nr Chamber of Commerce/KvK 32129259, VAT/BTW NL8188.31.972.BO1
(MVP Profile) (Blog)
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, July 01, 2009 18:05
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
Acronis is a disk imaging product and you're planning to use that to backup DCs?
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: Wednesday, July 01, 2009 9:36 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
Thanks for all the options given so far, but it's been a tiring and vexing
issue!
I took the diplomatic road on this issue and it is working!
The mandate now is to cut down the domain admins to 3 or 4 possibly
Now my dilemma is how do I go forward getting products like Acronis (backup
software for our servers), and SharePoint to work by delegating
permissions?
( There are a few angry people in the department now that are not willing to
assist with this request)
regards
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
Sent: Tuesday, May 26, 2009 10:10 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Loopback logon script for your domain controllers. Just have it check
the UPN or sAMAccountName and force a log off as soon as they log on.
You could even present them with a nice popup saying, "Have a nice
day. Thanks for playing."
The logic is easy:
For Each admin in badAdmins
If admin = logonName Then ForceLogoff
Next
In reality, those that have responded so far are correct. It sounds
like your management and security personnel should be doing their jobs
better. However, I guess it all depends on the situation. Just keep
in mind Newton's laws of motion. Something like this could come back
and bite you in the arse.
Andrew J Healey
http://halfloaded.com
On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
> servers?
>
>
>
> I know this is a strange question but the reason is simple when your
looking
> at it from my perspective. I am responsible for DCs but other
administrators
> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
> wish.
>
>
>
> Regards
>
> Patrick
__________ Information from ESET Smart Security, version of virus signature database 4205 (20090701) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 4205 (20090701) __________
The message was checked by ESET Smart Security.
http://www.eset.com
| | | |
| smsadm
Posts:29
| | 07/01/2009 9:24 PM |
| He's probably using this product:
http://www.acronis.com/enterprise/products/ATISWin/
On Wed, Jul 1, 2009 at 12:04 PM, Brian Desmond <brian@briandesmond.com>wrote:
> Acronis is a disk imaging product and you're planning to use that to backup
> DCs?
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
> Sent: Wednesday, July 01, 2009 9:36 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Domain Admins Access
>
> Thanks for all the options given so far, but it's been a tiring and vexing
> issue!
> I took the diplomatic road on this issue and it is working!
> The mandate now is to cut down the domain admins to 3 or 4 possibly
> Now my dilemma is how do I go forward getting products like Acronis (backup
> software for our servers), and SharePoint to work by delegating
> permissions?
> ( There are a few angry people in the department now that are not willing
> to
> assist with this request)
>
> regards
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
> Sent: Tuesday, May 26, 2009 10:10 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice
> day. Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff
> Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
> better. However, I guess it all depends on the situation. Just keep
> in mind Newton's laws of motion. Something like this could come back
> and bite you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs>
> wrote:
> > Is there a way to block DOMAIN ADMINS from logging on to a DC and member
> > servers?
> >
> >
> >
> > I know this is a strange question but the reason is simple when your
> looking
> > at it from my perspective. I am responsible for DCs but other
> administrators
> > with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
> they
> > wish.
> >
> >
> >
> > Regards
> >
> > Patrick
>
>
--
smsadm
| | | |
| listmail
Posts:763
| | 07/01/2009 11:00 PM |
| In none of the environments that I have worked on did we ever give rights to
the backup team nor the sharepoint team to Domain Controllers. Definitely
not Domain Admins and they were all able to work fine. Sharepoint I see no
reason for having DA access. For backups I can kind of see it if you are
letting them manage the backup software on a DC (which I wouldn't do and
haven't ever done).
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: Wednesday, July 01, 2009 10:36 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
Thanks for all the options given so far, but it's been a tiring and vexing
issue!
I took the diplomatic road on this issue and it is working!
The mandate now is to cut down the domain admins to 3 or 4 possibly Now
my dilemma is how do I go forward getting products like Acronis (backup
software for our servers), and SharePoint to work by delegating
permissions?
( There are a few angry people in the department now that are not willing to
assist with this request)
regards
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
Sent: Tuesday, May 26, 2009 10:10 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Loopback logon script for your domain controllers. Just have it check the
UPN or sAMAccountName and force a log off as soon as they log on.
You could even present them with a nice popup saying, "Have a nice day.
Thanks for playing."
The logic is easy:
For Each admin in badAdmins
If admin = logonName Then ForceLogoff Next
In reality, those that have responded so far are correct. It sounds like
your management and security personnel should be doing their jobs better.
However, I guess it all depends on the situation. Just keep in mind
Newton's laws of motion. Something like this could come back and bite you
in the arse.
Andrew J Healey
http://halfloaded.com
On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
> Is there a way to block DOMAIN ADMINS from logging on to a DC and
> member servers?
>
>
>
> I know this is a strange question but the reason is simple when your
looking
> at it from my perspective. I am responsible for DCs but other
administrators
> with DOMAIN ADMIN accounts exist and are trespassing and doing
> whatever
they
> wish.
>
>
>
> Regards
>
> Patrick
| | | |
| kurtbuff
Posts:169
| | 07/01/2009 11:33 PM |
| So how would you handle backups for DCs? I work in a much smaller
environment, so I just have the backup dump to a protected share on
our file server that only DAs have access to, but that probably
wouldn't scale.
Kurt
On Wed, Jul 1, 2009 at 15:00, joe<listmail@joeware.net> wrote:
> In none of the environments that I have worked on did we ever give rights to
> the backup team nor the sharepoint team to Domain Controllers. Definitely
> not Domain Admins and they were all able to work fine. Sharepoint I see no
> reason for having DA access. For backups I can kind of see it if you are
> letting them manage the backup software on a DC (which I wouldn't do and
> haven't ever done).
>
> joe
>
>
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
> Sent: Wednesday, July 01, 2009 10:36 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Domain Admins Access
>
> Thanks for all the options given so far, but it's been a tiring and vexing
> issue!
> I took the diplomatic road on this issue and it is working!
> The mandate now is to cut down the domain admins to 3 or 4 possibly Now
> my dilemma is how do I go forward getting products like Acronis (backup
> software for our servers), and SharePoint to work by delegating
> permissions?
> ( There are a few angry people in the department now that are not willing to
> assist with this request)
>
> regards
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
> Sent: Tuesday, May 26, 2009 10:10 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check the
> UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice day.
> Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff Next
>
> In reality, those that have responded so far are correct. It sounds like
> your management and security personnel should be doing their jobs better.
> However, I guess it all depends on the situation. Just keep in mind
> Newton's laws of motion. Something like this could come back and bite you
> in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and
>> member servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
> looking
>> at it from my perspective. I am responsible for DCs but other
> administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing
>> whatever
> they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
>
>
| | | |
| bdesmond
Posts:843
| | 07/01/2009 11:35 PM |
| One way I've done it many times is that share also has access for whatever account the backup program runs as and it just collects the backup from there.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
Sent: Wednesday, July 01, 2009 5:31 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
So how would you handle backups for DCs? I work in a much smaller
environment, so I just have the backup dump to a protected share on
our file server that only DAs have access to, but that probably
wouldn't scale.
Kurt
On Wed, Jul 1, 2009 at 15:00, joe<listmail@joeware.net> wrote:
> In none of the environments that I have worked on did we ever give rights to
> the backup team nor the sharepoint team to Domain Controllers. Definitely
> not Domain Admins and they were all able to work fine. Sharepoint I see no
> reason for having DA access. For backups I can kind of see it if you are
> letting them manage the backup software on a DC (which I wouldn't do and
> haven't ever done).
>
> joe
>
>
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
> Sent: Wednesday, July 01, 2009 10:36 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Domain Admins Access
>
> Thanks for all the options given so far, but it's been a tiring and vexing
> issue!
> I took the diplomatic road on this issue and it is working!
> The mandate now is to cut down the domain admins to 3 or 4 possibly Now
> my dilemma is how do I go forward getting products like Acronis (backup
> software for our servers), and SharePoint to work by delegating
> permissions?
> ( There are a few angry people in the department now that are not willing to
> assist with this request)
>
> regards
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
> Sent: Tuesday, May 26, 2009 10:10 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check the
> UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice day.
> Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff Next
>
> In reality, those that have responded so far are correct. It sounds like
> your management and security personnel should be doing their jobs better.
> However, I guess it all depends on the situation. Just keep in mind
> Newton's laws of motion. Something like this could come back and bite you
> in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and
>> member servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
> looking
>> at it from my perspective. I am responsible for DCs but other
> administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing
>> whatever
> they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
>
>
| | | |
| Ravi.Sabharanjak@barclaysglobal.com
Posts:0
| | 07/01/2009 11:49 PM |
|
You can convert the attached to a vbscript and schedule it to run every day for a system state backup. This keeps 7 days worth of backups locally and does not take much space.
The script is in NetIQ appmanager format, however it is basically vbscript and can be converted to standalone script with a small effort.
You can schedule the script to run as the local system using schtasks.exe as well.
-Ravi
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
Sent: Wednesday, July 01, 2009 3:31 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
So how would you handle backups for DCs? I work in a much smaller environment, so I just have the backup dump to a protected share on our file server that only DAs have access to, but that probably wouldn't scale.
Kurt
On Wed, Jul 1, 2009 at 15:00, joe<listmail@joeware.net> wrote:
> In none of the environments that I have worked on did we ever give
> rights to the backup team nor the sharepoint team to Domain
> Controllers. Definitely not Domain Admins and they were all able to
> work fine. Sharepoint I see no reason for having DA access. For
> backups I can kind of see it if you are letting them manage the backup
> software on a DC (which I wouldn't do and haven't ever done).
>
> joe
>
>
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
> Sent: Wednesday, July 01, 2009 10:36 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Domain Admins Access
>
> Thanks for all the options given so far, but it's been a tiring and
> vexing issue!
> I took the diplomatic road on this issue and it is working!
> The mandate now is to cut down the domain admins to 3 or 4 possibly
> Now my dilemma is how do I go forward getting products like Acronis
> (backup software for our servers), and SharePoint to work by
> delegating permissions?
> ( There are a few angry people in the department now that are not
> willing to assist with this request)
>
> regards
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
> Sent: Tuesday, May 26, 2009 10:10 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice day.
> Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs better.
> However, I guess it all depends on the situation. Just keep in mind
> Newton's laws of motion. Something like this could come back and bite
> you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and
>> member servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
> looking
>> at it from my perspective. I am responsible for DCs but other
> administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing
>> whatever
> they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
>
>
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| kurtbuff
Posts:169
| | 07/02/2009 12:17 AM |
| That's pretty cool.
I just use NTBackup to do the dump to the file server, and it gets
picked up each night as a new file.
On Wed, Jul 1, 2009 at 15:46, Sabharanjak, Ravi BGI
SF<Ravi.Sabharanjak@barclaysglobal.com> wrote:
>
> You can convert the attached to a vbscript and schedule it to run every day for a system state backup. This keeps 7 days worth of backups locally and does not take much space.
>
> The script is in NetIQ appmanager format, however it is basically vbscript and can be converted to standalone script with a small effort.
>
> You can schedule the script to run as the local system using schtasks.exe as well.
>
> -Ravi
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
> Sent: Wednesday, July 01, 2009 3:31 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> So how would you handle backups for DCs? I work in a much smaller environment, so I just have the backup dump to a protected share on our file server that only DAs have access to, but that probably wouldn't scale.
>
> Kurt
>
> On Wed, Jul 1, 2009 at 15:00, joe<listmail@joeware.net> wrote:
>> In none of the environments that I have worked on did we ever give
>> rights to the backup team nor the sharepoint team to Domain
>> Controllers. Definitely not Domain Admins and they were all able to
>> work fine. Sharepoint I see no reason for having DA access. For
>> backups I can kind of see it if you are letting them manage the backup
>> software on a DC (which I wouldn't do and haven't ever done).
>>
>> joe
>>
>>
>>
>> --
>> O'Reilly Active Directory Fourth Edition -
>> http://www.joeware.net/win/ad4e.htm
>>
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
>> Sent: Wednesday, July 01, 2009 10:36 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] Domain Admins Access
>>
>> Thanks for all the options given so far, but it's been a tiring and
>> vexing issue!
>> I took the diplomatic road on this issue and it is working!
>> The mandate now is to cut down the domain admins to 3 or 4 possibly
>> Now my dilemma is how do I go forward getting products like Acronis
>> (backup software for our servers), and SharePoint to work by
>> delegating permissions?
>> ( There are a few angry people in the department now that are not
>> willing to assist with this request)
>>
>> regards
>>
>>
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
>> Sent: Tuesday, May 26, 2009 10:10 PM
>> To: activedir@mail.activedir.org
>> Subject: Re: [ActiveDir] Domain Admins Access
>>
>> Loopback logon script for your domain controllers. Just have it check
>> the UPN or sAMAccountName and force a log off as soon as they log on.
>> You could even present them with a nice popup saying, "Have a nice day.
>> Thanks for playing."
>>
>> The logic is easy:
>>
>> For Each admin in badAdmins
>> If admin = logonName Then ForceLogoff Next
>>
>> In reality, those that have responded so far are correct. It sounds
>> like your management and security personnel should be doing their jobs better.
>> However, I guess it all depends on the situation. Just keep in mind
>> Newton's laws of motion. Something like this could come back and bite
>> you in the arse.
>>
>>
>> Andrew J Healey
>> http://halfloaded.com
>>
>>
>>
>> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
>>> Is there a way to block DOMAIN ADMINS from logging on to a DC and
>>> member servers?
>>>
>>>
>>>
>>> I know this is a strange question but the reason is simple when your
>> looking
>>> at it from my perspective. I am responsible for DCs but other
>> administrators
>>> with DOMAIN ADMIN accounts exist and are trespassing and doing
>>> whatever
>> they
>>> wish.
>>>
>>>
>>>
>>> Regards
>>>
>>> Patrick
>>
>>
>
>
> --
>
> This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
>
| | | |
| Ravi.Sabharanjak@barclaysglobal.com
Posts:0
| | 07/02/2009 12:22 AM |
|
The script just makes a call to ntbackup to create a systemstate backup as well. It also cleans up the old backup files, thus keeping the data growth under control.
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
Sent: Wednesday, July 01, 2009 4:17 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
That's pretty cool.
I just use NTBackup to do the dump to the file server, and it gets picked up each night as a new file.
On Wed, Jul 1, 2009 at 15:46, Sabharanjak, Ravi BGI SF<Ravi.Sabharanjak@barclaysglobal.com> wrote:
>
> You can convert the attached to a vbscript and schedule it to run every day for a system state backup. This keeps 7 days worth of backups locally and does not take much space.
>
> The script is in NetIQ appmanager format, however it is basically vbscript and can be converted to standalone script with a small effort.
>
> You can schedule the script to run as the local system using schtasks.exe as well.
>
> -Ravi
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
> Sent: Wednesday, July 01, 2009 3:31 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> So how would you handle backups for DCs? I work in a much smaller environment, so I just have the backup dump to a protected share on our file server that only DAs have access to, but that probably wouldn't scale.
>
> Kurt
>
> On Wed, Jul 1, 2009 at 15:00, joe<listmail@joeware.net> wrote:
>> In none of the environments that I have worked on did we ever give
>> rights to the backup team nor the sharepoint team to Domain
>> Controllers. Definitely not Domain Admins and they were all able to
>> work fine. Sharepoint I see no reason for having DA access. For
>> backups I can kind of see it if you are letting them manage the
>> backup software on a DC (which I wouldn't do and haven't ever done).
>>
>> joe
>>
>>
>>
>> --
>> O'Reilly Active Directory Fourth Edition -
>> http://www.joeware.net/win/ad4e.htm
>>
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
>> Sent: Wednesday, July 01, 2009 10:36 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] Domain Admins Access
>>
>> Thanks for all the options given so far, but it's been a tiring and
>> vexing issue!
>> I took the diplomatic road on this issue and it is working!
>> The mandate now is to cut down the domain admins to 3 or 4 possibly
>> Now my dilemma is how do I go forward getting products like
>> Acronis (backup software for our servers), and SharePoint to work by
>> delegating permissions?
>> ( There are a few angry people in the department now that are not
>> willing to assist with this request)
>>
>> regards
>>
>>
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew
>> Healey
>> Sent: Tuesday, May 26, 2009 10:10 PM
>> To: activedir@mail.activedir.org
>> Subject: Re: [ActiveDir] Domain Admins Access
>>
>> Loopback logon script for your domain controllers. Just have it
>> check the UPN or sAMAccountName and force a log off as soon as they log on.
>> You could even present them with a nice popup saying, "Have a nice day.
>> Thanks for playing."
>>
>> The logic is easy:
>>
>> For Each admin in badAdmins
>> If admin = logonName Then ForceLogoff Next
>>
>> In reality, those that have responded so far are correct. It sounds
>> like your management and security personnel should be doing their jobs better.
>> However, I guess it all depends on the situation. Just keep in mind
>> Newton's laws of motion. Something like this could come back and
>> bite you in the arse.
>>
>>
>> Andrew J Healey
>> http://halfloaded.com
>>
>>
>>
>> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
>>> Is there a way to block DOMAIN ADMINS from logging on to a DC and
>>> member servers?
>>>
>>>
>>>
>>> I know this is a strange question but the reason is simple when your
>> looking
>>> at it from my perspective. I am responsible for DCs but other
>> administrators
>>> with DOMAIN ADMIN accounts exist and are trespassing and doing
>>> whatever
>> they
>>> wish.
>>>
>>>
>>>
>>> Regards
>>>
>>> Patrick
>>
>>
>
>
> --
>
> This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
>
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| kurtbuff
Posts:169
| | 07/02/2009 12:26 AM |
| Ah - but still, it's nice to see more vbscript - it's definitely not
my strong suit.
On Wed, Jul 1, 2009 at 16:20, Sabharanjak, Ravi BGI
SF<Ravi.Sabharanjak@barclaysglobal.com> wrote:
>
> The script just makes a call to ntbackup to create a systemstate backup as well. It also cleans up the old backup files, thus keeping the data growth under control.
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
> Sent: Wednesday, July 01, 2009 4:17 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> That's pretty cool.
>
> I just use NTBackup to do the dump to the file server, and it gets picked up each night as a new file.
>
> On Wed, Jul 1, 2009 at 15:46, Sabharanjak, Ravi BGI SF<Ravi.Sabharanjak@barclaysglobal.com> wrote:
>>
>> You can convert the attached to a vbscript and schedule it to run every day for a system state backup. This keeps 7 days worth of backups locally and does not take much space.
>>
>> The script is in NetIQ appmanager format, however it is basically vbscript and can be converted to standalone script with a small effort.
>>
>> You can schedule the script to run as the local system using schtasks.exe as well.
>>
>> -Ravi
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
>> Sent: Wednesday, July 01, 2009 3:31 PM
>> To: activedir@mail.activedir.org
>> Subject: Re: [ActiveDir] Domain Admins Access
>>
>> So how would you handle backups for DCs? I work in a much smaller environment, so I just have the backup dump to a protected share on our file server that only DAs have access to, but that probably wouldn't scale.
>>
>> Kurt
>>
>> On Wed, Jul 1, 2009 at 15:00, joe<listmail@joeware.net> wrote:
>>> In none of the environments that I have worked on did we ever give
>>> rights to the backup team nor the sharepoint team to Domain
>>> Controllers. Definitely not Domain Admins and they were all able to
>>> work fine. Sharepoint I see no reason for having DA access. For
>>> backups I can kind of see it if you are letting them manage the
>>> backup software on a DC (which I wouldn't do and haven't ever done).
>>>
>>> joe
>>>
>>>
>>>
>>> --
>>> O'Reilly Active Directory Fourth Edition -
>>> http://www.joeware.net/win/ad4e.htm
>>>
>>>
>>> -----Original Message-----
>>> From: activedir-owner@mail.activedir.org
>>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
>>> Sent: Wednesday, July 01, 2009 10:36 AM
>>> To: activedir@mail.activedir.org
>>> Subject: RE: [ActiveDir] Domain Admins Access
>>>
>>> Thanks for all the options given so far, but it's been a tiring and
>>> vexing issue!
>>> I took the diplomatic road on this issue and it is working!
>>> The mandate now is to cut down the domain admins to 3 or 4 possibly
>>> Now my dilemma is how do I go forward getting products like
>>> Acronis (backup software for our servers), and SharePoint to work by
>>> delegating permissions?
>>> ( There are a few angry people in the department now that are not
>>> willing to assist with this request)
>>>
>>> regards
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: activedir-owner@mail.activedir.org
>>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew
>>> Healey
>>> Sent: Tuesday, May 26, 2009 10:10 PM
>>> To: activedir@mail.activedir.org
>>> Subject: Re: [ActiveDir] Domain Admins Access
>>>
>>> Loopback logon script for your domain controllers. Just have it
>>> check the UPN or sAMAccountName and force a log off as soon as they log on.
>>> You could even present them with a nice popup saying, "Have a nice day.
>>> Thanks for playing."
>>>
>>> The logic is easy:
>>>
>>> For Each admin in badAdmins
>>> If admin = logonName Then ForceLogoff Next
>>>
>>> In reality, those that have responded so far are correct. It sounds
>>> like your management and security personnel should be doing their jobs better.
>>> However, I guess it all depends on the situation. Just keep in mind
>>> Newton's laws of motion. Something like this could come back and
>>> bite you in the arse.
>>>
>>>
>>> Andrew J Healey
>>> http://halfloaded.com
>>>
>>>
>>>
>>> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
>>>> Is there a way to block DOMAIN ADMINS from logging on to a DC and
>>>> member servers?
>>>>
>>>>
>>>>
>>>> I know this is a strange question but the reason is simple when your
>>> looking
>>>> at it from my perspective. I am responsible for DCs but other
>>> administrators
>>>> with DOMAIN ADMIN accounts exist and are trespassing and doing
>>>> whatever
>>> they
>>>> wish.
>>>>
>>>>
>>>>
>>>> Regards
>>>>
>>>> Patrick
>>>
>>>
>>
>>
>> --
>>
>> This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
>>
>
>
> --
>
> This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
>
| | | |
| ken
Posts:140
| | 07/02/2009 4:51 AM |
| People who administer SharePoint can be put into an AD group and that group added to the Farm Administrators group in SharePoint.
SharePoint also have a very rich delegation model that allows Site Collection owners to be specified separately, User profile stuff to be managed separately, and it can use a bazillion different accounts and web app pools and databases to separate everything out.
There is no need to be a domain admin to admin SharePoint. The MOSS Farm account may require local admin privileges (e.g. to update HOSTS file). And your guys might need local Administrator access if they install SharePoint patches/CUs/updates/service packs.
Cheers
Ken
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
Sent: Thursday, 2 July 2009 12:36 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
Thanks for all the options given so far, but it's been a tiring and vexing
issue!
I took the diplomatic road on this issue and it is working!
The mandate now is to cut down the domain admins to 3 or 4 possibly
Now my dilemma is how do I go forward getting products like Acronis (backup
software for our servers), and SharePoint to work by delegating
permissions?
( There are a few angry people in the department now that are not willing to
assist with this request)
regards
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
Sent: Tuesday, May 26, 2009 10:10 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Loopback logon script for your domain controllers. Just have it check
the UPN or sAMAccountName and force a log off as soon as they log on.
You could even present them with a nice popup saying, "Have a nice
day. Thanks for playing."
The logic is easy:
For Each admin in badAdmins
If admin = logonName Then ForceLogoff
Next
In reality, those that have responded so far are correct. It sounds
like your management and security personnel should be doing their jobs
better. However, I guess it all depends on the situation. Just keep
in mind Newton's laws of motion. Something like this could come back
and bite you in the arse.
Andrew J Healey
http://halfloaded.com
On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
> Is there a way to block DOMAIN ADMINS from logging on to a DC and member
> servers?
>
>
>
> I know this is a strange question but the reason is simple when your
looking
> at it from my perspective. I am responsible for DCs but other
administrators
> with DOMAIN ADMIN accounts exist and are trespassing and doing whatever
they
> wish.
>
>
>
> Regards
>
> Patrick
| | | |
| skaufman-itt
Posts:29
| | 07/02/2009 2:20 PM |
| This is what we have running every night. Keeps 7 days worth of backups locally, and optionally can copy off to a file server somewhere.
ntbackup backup systemstate /f C:\SystemStateBackups\%date:~0,3%-%computername%.bkf
rem * Optional to copy to a file server somewhere
rem copy C:\SystemStateBackups\%date:~0,3%-%Computername%.bkf \\server\dcbackups /y
Scott Kaufman
Lead Network Analyst
ITT ESI, Inc.
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Sabharanjak, Ravi BGI SF
Sent: Wednesday, July 01, 2009 6:47 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Domain Admins Access
You can convert the attached to a vbscript and schedule it to run every day for a system state backup. This keeps 7 days worth of backups locally and does not take much space.
The script is in NetIQ appmanager format, however it is basically vbscript and can be converted to standalone script with a small effort.
You can schedule the script to run as the local system using schtasks.exe as well.
-Ravi
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
Sent: Wednesday, July 01, 2009 3:31 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
So how would you handle backups for DCs? I work in a much smaller environment, so I just have the backup dump to a protected share on our file server that only DAs have access to, but that probably wouldn't scale.
Kurt
On Wed, Jul 1, 2009 at 15:00, joe<listmail@joeware.net> wrote:
> In none of the environments that I have worked on did we ever give
> rights to the backup team nor the sharepoint team to Domain
> Controllers. Definitely not Domain Admins and they were all able to
> work fine. Sharepoint I see no reason for having DA access. For
> backups I can kind of see it if you are letting them manage the backup
> software on a DC (which I wouldn't do and haven't ever done).
>
> joe
>
>
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
> Sent: Wednesday, July 01, 2009 10:36 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Domain Admins Access
>
> Thanks for all the options given so far, but it's been a tiring and
> vexing issue!
> I took the diplomatic road on this issue and it is working!
> The mandate now is to cut down the domain admins to 3 or 4 possibly
> Now my dilemma is how do I go forward getting products like Acronis
> (backup software for our servers), and SharePoint to work by
> delegating permissions?
> ( There are a few angry people in the department now that are not
> willing to assist with this request)
>
> regards
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
> Sent: Tuesday, May 26, 2009 10:10 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice day.
> Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs better.
> However, I guess it all depends on the situation. Just keep in mind
> Newton's laws of motion. Something like this could come back and bite
> you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs> wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and
>> member servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
> looking
>> at it from my perspective. I am responsible for DCs but other
> administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing
>> whatever
> they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
>
>
--
This message and any attachments are confidential, proprietary, and may be privileged. If this message was misdirected, Barclays Global Investors (BGI) does not waive any confidentiality or privilege. If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BGI, unless the author is authorized by BGI to express such views or opinions on its behalf. All email sent to or from this address is subject to electronic storage and review by BGI. Although BGI operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
| | | |
| listmail
Posts:763
| | 07/03/2009 6:50 AM |
| Actually I have seen that method work in large environments (> 70k users
with >150 DCs). I have also seen backup software (TSM/ADSM) running on the
DC that is fully managed by the AD Team and the backup team manages the
backend storage used by the backup system. I have also seen a systemstate
backup that is dumped to a share on the DC that is open to the backup team
to come and grab.
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
So how would you handle backups for DCs? I work in a much smaller
environment, so I just have the backup dump to a protected share on our file
server that only DAs have access to, but that probably wouldn't scale.
Kurt
On Wed, Jul 1, 2009 at 15:00, joe<listmail@joeware.net> wrote:
> In none of the environments that I have worked on did we ever give
> rights to the backup team nor the sharepoint team to Domain
> Controllers. Definitely not Domain Admins and they were all able to
> work fine. Sharepoint I see no reason for having DA access. For
> backups I can kind of see it if you are letting them manage the backup
> software on a DC (which I wouldn't do and haven't ever done).
>
> joe
>
>
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
> Sent: Wednesday, July 01, 2009 10:36 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Domain Admins Access
>
> Thanks for all the options given so far, but it's been a tiring and
> vexing issue!
> I took the diplomatic road on this issue and it is working!
> The mandate now is to cut down the domain admins to 3 or 4 possibly
> Now my dilemma is how do I go forward getting products like Acronis
> (backup software for our servers), and SharePoint to work by
> delegating permissions?
> ( There are a few angry people in the department now that are not
> willing to assist with this request)
>
> regards
>
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
> Sent: Tuesday, May 26, 2009 10:10 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> Loopback logon script for your domain controllers. Just have it check
> the UPN or sAMAccountName and force a log off as soon as they log on.
> You could even present them with a nice popup saying, "Have a nice day.
> Thanks for playing."
>
> The logic is easy:
>
> For Each admin in badAdmins
> If admin = logonName Then ForceLogoff Next
>
> In reality, those that have responded so far are correct. It sounds
> like your management and security personnel should be doing their jobs
better.
> However, I guess it all depends on the situation. Just keep in mind
> Newton's laws of motion. Something like this could come back and bite
> you in the arse.
>
>
> Andrew J Healey
> http://halfloaded.com
>
>
>
> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs>
wrote:
>> Is there a way to block DOMAIN ADMINS from logging on to a DC and
>> member servers?
>>
>>
>>
>> I know this is a strange question but the reason is simple when your
> looking
>> at it from my perspective. I am responsible for DCs but other
> administrators
>> with DOMAIN ADMIN accounts exist and are trespassing and doing
>> whatever
> they
>> wish.
>>
>>
>>
>> Regards
>>
>> Patrick
>
>
| | | |
| kurtbuff
Posts:169
| | 07/03/2009 9:04 PM |
| Cool.
Nice to know that what I'm doing isn't so weird after all.
We use TSM here, too, but don't have many client licenses, which is
why I chose to do it that way.
And, on a different note, while I respect and like TSM in some ways, I
find it too complex and needing too much operator interaction for our
small environment, which is about 25 servers. We don't back up
workstations.
Kurt
On Thu, Jul 2, 2009 at 22:49, joe<listmail@joeware.net> wrote:
> Actually I have seen that method work in large environments (> 70k users
> with >150 DCs). I have also seen backup software (TSM/ADSM) running on the
> DC that is fully managed by the AD Team and the backup team manages the
> backend storage used by the backup system. I have also seen a systemstate
> backup that is dumped to a share on the DC that is open to the backup team
> to come and grab.
>
>
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
> Sent: Wednesday, July 01, 2009 6:31 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> So how would you handle backups for DCs? I work in a much smaller
> environment, so I just have the backup dump to a protected share on our file
> server that only DAs have access to, but that probably wouldn't scale.
>
> Kurt
>
> On Wed, Jul 1, 2009 at 15:00, joe<listmail@joeware.net> wrote:
>> In none of the environments that I have worked on did we ever give
>> rights to the backup team nor the sharepoint team to Domain
>> Controllers. Definitely not Domain Admins and they were all able to
>> work fine. Sharepoint I see no reason for having DA access. For
>> backups I can kind of see it if you are letting them manage the backup
>> software on a DC (which I wouldn't do and haven't ever done).
>>
>> joe
>>
>>
>>
>> --
>> O'Reilly Active Directory Fourth Edition -
>> http://www.joeware.net/win/ad4e.htm
>>
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
>> Sent: Wednesday, July 01, 2009 10:36 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] Domain Admins Access
>>
>> Thanks for all the options given so far, but it's been a tiring and
>> vexing issue!
>> I took the diplomatic road on this issue and it is working!
>> The mandate now is to cut down the domain admins to 3 or 4 possibly
>> Now my dilemma is how do I go forward getting products like Acronis
>> (backup software for our servers), and SharePoint to work by
>> delegating permissions?
>> ( There are a few angry people in the department now that are not
>> willing to assist with this request)
>>
>> regards
>>
>>
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
>> Sent: Tuesday, May 26, 2009 10:10 PM
>> To: activedir@mail.activedir.org
>> Subject: Re: [ActiveDir] Domain Admins Access
>>
>> Loopback logon script for your domain controllers. Just have it check
>> the UPN or sAMAccountName and force a log off as soon as they log on.
>> You could even present them with a nice popup saying, "Have a nice day.
>> Thanks for playing."
>>
>> The logic is easy:
>>
>> For Each admin in badAdmins
>> If admin = logonName Then ForceLogoff Next
>>
>> In reality, those that have responded so far are correct. It sounds
>> like your management and security personnel should be doing their jobs
> better.
>> However, I guess it all depends on the situation. Just keep in mind
>> Newton's laws of motion. Something like this could come back and bite
>> you in the arse.
>>
>>
>> Andrew J Healey
>> http://halfloaded.com
>>
>>
>>
>> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs>
> wrote:
>>> Is there a way to block DOMAIN ADMINS from logging on to a DC and
>>> member servers?
>>>
>>>
>>>
>>> I know this is a strange question but the reason is simple when your
>> looking
>>> at it from my perspective. I am responsible for DCs but other
>> administrators
>>> with DOMAIN ADMIN accounts exist and are trespassing and doing
>>> whatever
>> they
>>> wish.
>>>
>>>
>>>
>>> Regards
>>>
>>> Patrick
>>
>>
>
>
| | | |
| Patrick
Posts:18
| | 07/03/2009 10:32 PM |
| Thanks guys but none of the "little kids" wanted to play nice so the boss reverted to the way it was  . No one sat with me an mapped out exactly what they needed access too (claiming to be to busy) - They just let backup scripts etc. fail. I just washed my hands of the situation. How many times must we have the same issues come up in our ADRAP.
Acronis is not used for DC backups. I just schedule an NTBACKUP for DCs and have it go to a share that’s it.
Microsoft does not recommend using images for creating DCs - that was even one of the questions in their ADRAP!
The real problem is the other admins and their over inflated egos. I tried to bring some structure to our network so that our third ADRAP would not have the same issues from the first but I am frustrated and overruled at every turn.
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
Sent: Friday, July 03, 2009 4:04 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Admins Access
Cool.
Nice to know that what I'm doing isn't so weird after all.
We use TSM here, too, but don't have many client licenses, which is
why I chose to do it that way.
And, on a different note, while I respect and like TSM in some ways, I
find it too complex and needing too much operator interaction for our
small environment, which is about 25 servers. We don't back up
workstations.
Kurt
On Thu, Jul 2, 2009 at 22:49, joe<listmail@joeware.net> wrote:
> Actually I have seen that method work in large environments (> 70k users
> with >150 DCs). I have also seen backup software (TSM/ADSM) running on the
> DC that is fully managed by the AD Team and the backup team manages the
> backend storage used by the backup system. I have also seen a systemstate
> backup that is dumped to a share on the DC that is open to the backup team
> to come and grab.
>
>
>
> --
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
> -----Original Message-----
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Kurt Buff
> Sent: Wednesday, July 01, 2009 6:31 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Domain Admins Access
>
> So how would you handle backups for DCs? I work in a much smaller
> environment, so I just have the backup dump to a protected share on our file
> server that only DAs have access to, but that probably wouldn't scale.
>
> Kurt
>
> On Wed, Jul 1, 2009 at 15:00, joe<listmail@joeware.net> wrote:
>> In none of the environments that I have worked on did we ever give
>> rights to the backup team nor the sharepoint team to Domain
>> Controllers. Definitely not Domain Admins and they were all able to
>> work fine. Sharepoint I see no reason for having DA access. For
>> backups I can kind of see it if you are letting them manage the backup
>> software on a DC (which I wouldn't do and haven't ever done).
>>
>> joe
>>
>>
>>
>> --
>> O'Reilly Active Directory Fourth Edition -
>> http://www.joeware.net/win/ad4e.htm
>>
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Patrick Paul
>> Sent: Wednesday, July 01, 2009 10:36 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: [ActiveDir] Domain Admins Access
>>
>> Thanks for all the options given so far, but it's been a tiring and
>> vexing issue!
>> I took the diplomatic road on this issue and it is working!
>> The mandate now is to cut down the domain admins to 3 or 4 possibly
>> Now my dilemma is how do I go forward getting products like Acronis
>> (backup software for our servers), and SharePoint to work by
>> delegating permissions?
>> ( There are a few angry people in the department now that are not
>> willing to assist with this request)
>>
>> regards
>>
>>
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Healey
>> Sent: Tuesday, May 26, 2009 10:10 PM
>> To: activedir@mail.activedir.org
>> Subject: Re: [ActiveDir] Domain Admins Access
>>
>> Loopback logon script for your domain controllers. Just have it check
>> the UPN or sAMAccountName and force a log off as soon as they log on.
>> You could even present them with a nice popup saying, "Have a nice day.
>> Thanks for playing."
>>
>> The logic is easy:
>>
>> For Each admin in badAdmins
>> If admin = logonName Then ForceLogoff Next
>>
>> In reality, those that have responded so far are correct. It sounds
>> like your management and security personnel should be doing their jobs
> better.
>> However, I guess it all depends on the situation. Just keep in mind
>> Newton's laws of motion. Something like this could come back and bite
>> you in the arse.
>>
>>
>> Andrew J Healey
>> http://halfloaded.com
>>
>>
>>
>> On Tue, May 26, 2009 at 7:58 AM, Patrick Paul <patrickp@batelnet.bs>
> wrote:
>>> Is there a way to block DOMAIN ADMINS from logging on to a DC and
>>> member servers?
>>>
>>>
>>>
>>> I know this is a strange question but the reason is simple when your
>> looking
>>> at it from my perspective. I am responsible for DCs but other
>> administrators
>>> with DOMAIN ADMIN accounts exist and are trespassing and doing
>>> whatever
>> they
>>> wish.
>>>
>>>
>>>
>>> Regards
>>>
>>> Patrick
>>
>>
>
>
| | | |
|
|