| Author | Messages | |
kevinrjames
Posts:35
 | | 01/13/2010 6:26 PM |
| SBS doesn't allow normal users the ability to interactively logon to the SBS server either. It's a bad practice of any size environment.
/kj
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-
> owner@mail.activedir.org] On Behalf Of Laura E. Hunter
> Sent: Wednesday, January 13, 2010 10:30 AM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Remote Desktop Login into Aditional Domain
> Controller Server [SEC=UNCLASSIFIED]
>
> Adding to Dave's point - even if these users are performing admin
> tasks, you are granting console rights on a DC to a non-Domain Admin.
> Unless these are 2008 RODCs, from a risk management perspective I
> consider this security-equivalent to granting DA rights, and would not
> do so for an organization of any non-trivial size (again throwing out
> SBS as an anomaly.)
>
> On Wed, Jan 13, 2010 at 12:24 PM, Dave Wade
> <dave.wade@stockport.gov.uk> wrote:
> > Actually I guess that what I am saying is why are non-admins logging
> on
> > to DCs. I manage our Network and I have an Account with Enterprise
> Admin
> > rights (No not my normal account that's just a "Normal Users"
> account)
> > that I can use to log on to our DCs. I can't actually remember when I
> > last logged on to a DC either at a real console or via an RDP
> session.
> > Its something I avoid as far as possible because of the risks to the
> > server.
> >
> > You shouldn't be doing things on DCs that could be done elsewhere
> > (unless you are SBS of course). They need all their RAM to cache the
> > DIT. I don't want user apps like IE slugging the performance and
> > possibly introducing nasties onto the server...
> >
> > So if they are not running "normal apps" then they are doing
> management
> > and admin tasks.
> >
> > Dave Wade
> >
> >
> >
> >> -----Original Message-----
> >> From: activedir-owner@mail.activedir.org
> >> [mailto:activedir-owner@mail.activedir.org] On Behalf Of
> >> Haritwal, Dhiraj
> >> Sent: 13 January 2010 17:02
> >> To: activedir@mail.activedir.org
> >> Subject: RE: [ActiveDir] Remote Desktop Login into Aditional
> >> Domain Controller Server [SEC=UNCLASSIFIED]
> >>
> >> No I mean they are not in Domain Admin group & even I don't
> >> want to add them in Domain Admin. What other group membership
> >> I need to give them to achieve this.
> >>
> >> Dhiraj
> >>
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: activedir-owner@mail.activedir.org
> >> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave Wade
> >> Sent: Wednesday, January 13, 2010 10:08 PM
> >> To: activedir@mail.activedir.org
> >> Subject: RE: [ActiveDir] Remote Desktop Login into Aditional
> >> Domain Controller Server [SEC=UNCLASSIFIED]
> >>
> >> Well if they are Domain Admins then they can RDP any way...
> >>
> >> Dave Wade
> >> Business Services I.C.T.
> >> 0161 474 5456
> >>
> >>
> >> > -----Original Message-----
> >> > From: activedir-owner@mail.activedir.org
> >> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Haritwal,
> >> > Dhiraj
> >> > Sent: 13 January 2010 14:47
> >> > To: activedir@mail.activedir.org
> >> > Subject: RE: [ActiveDir] Remote Desktop Login into Aditional
> Domain
> >> > Controller Server [SEC=UNCLASSIFIED]
> >> >
> >> > Thanks Dave, what kind of access/permissions should have to that
> >> > higher lever group except Default domain admin group.
> >> >
> >> > Dhiraj
> >> >
> >> >
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: activedir-owner@mail.activedir.org
> >> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave Wade
> >> > Sent: Wednesday, January 13, 2010 7:40 PM
> >> > To: activedir@mail.activedir.org
> >> > Subject: RE: [ActiveDir] Remote Desktop Login into Aditional
> Domain
> >> > Controller Server [SEC=UNCLASSIFIED]
> >> >
> >> > Dhiraj
> >> >
> >> > I think you can do this by means of group policy. In the Computer
> >> > Configuration, Windows Settings, Security Settings, User Rights
> >> > Assignments, Allow Logon Through Terminal Services you can list
> the
> >> > users allowed to logon. By default this contains "Remote Desktop
> >> > Users, Administrators" which is why these folks can logon.
> >> You can set
> >> > a policy that only applies to the servers in question to
> >> change this
> >> > and add another group, but remember that this isn't
> >> cumulative, so you
> >> > need to ensure EVERYONE you want to logon on is included either
> >> > directly or indirectly in a single policy. However if the
> >> server is a
> >> > DC then they won't be able to do much without being a
> >> member of one of
> >> > the other high-level admin groups.
> >> >
> >> > Dave Wade
> >> >
> >> >
> >> >
> >> > > -----Original Message-----
> >> > > From: activedir-owner@mail.activedir.org
> >> > > [mailto:activedir-owner@mail.activedir.org] On Behalf Of
> >> Haritwal,
> >> > > Dhiraj
> >> > > Sent: 13 January 2010 13:11
> >> > > To: activedir@mail.activedir.org
> >> > > Subject: RE: [ActiveDir] Remote Desktop Login into
> >> Aditional Domain
> >> > > Controller Server [SEC=UNCLASSIFIED]
> >> > >
> >> > > Are you telling me to run CMD on a remote machine with
> >> > PSExec? I think
> >> > > you didn't got my requirement. I want to login into AD/ADC
> >> > Server with
> >> > > Remote Desktop with a common user account with adding
> >> this account
> >> > > into Remote Desktop User group. What permissions/delegation
> >> > I have to
> >> > > give to this new user account to achieve this. I can add
> >> > this account
> >> > > on member servers Remote Desktop user group but as these are
> >> > > DC's/ADC's so don't want to add them the Domain's default Remote
> >> > > Desktop User group. So checking another wayout.
> >> > >
> >> > >
> >> > > Dhiraj
> >> > >
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > -----Original Message-----
> >> > > From: activedir-owner@mail.activedir.org
> >> > > [mailto:activedir-owner@mail.activedir.org] On Behalf Of
> >> Wilkinson,
> >> > > Alex
> >> > > Sent: Wednesday, January 13, 2010 6:25 PM
> >> > > To: activedir@mail.activedir.org
> >> > > Subject: Re: [ActiveDir] Remote Desktop Login into
> >> Aditional Domain
> >> > > Controller Server [SEC=UNCLASSIFIED]
> >> > >
> >> > >
> >> > > 0n Wed, Jan 13, 2010 at 07:19:39PM +0800, Haritwal,
> >> > Dhiraj wrote:
> >> > >
> >> > > >I want to login into an ADC via Remote Desktop with a newly
> >> > > created
> >> > > >account but not added into Remote Desktop users. Want
> >> > to check is
> >> > > >there any other way to login into DC/ADC without
> >> > adding it to RDP
> >> > > Group.
> >> > >
> >> > > psexec.exe
> >> > > [http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx]
> >> > >
> >> > > e.g.
> >> > >
> >> > > c:\>psexec.exe \\computername "cmd.exe"
> >> > >
> >> > > -Alex
> >> > >
> >> > > IMPORTANT: This email remains the property of the
> >> > Australian Defence
> >> > > Organisation and is subject to the jurisdiction of section
> >> > 70 of the
> >> > > CRIMES ACT 1914. If you have received this email in
> >> error, you are
> >> > > requested to contact the sender and delete the email.
> >> > >
> >> > >
> >> > >
> >> > >
> >> > > This email is confidential and intended only for the use of the
> >> > > individual or entity named above and may contain
> >> > information that is
> >> > > privileged. If you are not the intended recipient, you
> >> are notified
> >> > > that any dissemination, distribution or copying of this email is
> >> > > strictly prohibited.
> >> > > If you have received this email in error, please notify us
> >> > immediately
> >> > > by return email or telephone and destroy the original
> >> > message. - This
> >> > > mail is sent via Sony Asia Pacific Mail Gateway..
> >> > >
> >> > >
> >> > >
> >> > >
> >> >
> >> >
> >> >
> >> >
> >>
> **********************************************************************
> >> > Stockport Council is officially one of the best in the country.
> >> > Awarded four stars and improving strongly by the Audit Commission
> >> > March 2009.
> >> >
> >> > This email, and any files transmitted with it, is confidential and
> >> > intended solely for the use of the individual or entity to
> >> whom they
> >> > are addressed. As a public body, the Council may be required to
> >> > disclose this email, or any response to it, under the Freedom of
> >> > Information Act 2000, unless the information in it is
> >> covered by one
> >> > of the exemptions in the Act.
> >> >
> >> > If you receive this email in error please notify Stockport ICT,
> >> > Business Services via email.query@stockport.gov.uk and then
> >> > permanently remove it from your system.
> >> >
> >> > Thank you.
> >> >
> >> > http://www.stockport.gov.uk
> >> >
> >>
> **********************************************************************
> >> >
> >> >
> >> >
> >> >
> >> > This email is confidential and intended only for the use of the
> >> > individual or entity named above and may contain
> >> information that is
> >> > privileged. If you are not the intended recipient, you are
> notified
> >> > that any dissemination, distribution or copying of this email is
> >> > strictly prohibited.
> >> > If you have received this email in error, please notify us
> >> immediately
> >> > by return email or telephone and destroy the original
> >> message. - This
> >> > mail is sent via Sony Asia Pacific Mail Gateway..
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >>
> >>
> **********************************************************************
> >> Stockport Council is officially one of the best in the country.
> >> Awarded four stars and improving strongly by the Audit
> >> Commission March 2009.
> >>
> >> This email, and any files transmitted with it, is
> >> confidential and intended solely for the use of the
> >> individual or entity to whom they are addressed. As a public
> >> body, the Council may be required to disclose this email, or
> >> any response to it, under the Freedom of Information Act
> >> 2000, unless the information in it is covered by one of the
> >> exemptions in the Act.
> >>
> >> If you receive this email in error please notify Stockport
> >> ICT, Business Services via email.query@stockport.gov.uk and
> >> then permanently remove it from your system.
> >>
> >> Thank you.
> >>
> >> http://www.stockport.gov.uk
> >>
> **********************************************************************
> >>
> >>
> >>
> >>
> >> This email is confidential and intended only for the use of
> >> the individual or entity named above and may contain
> >> information that is privileged. If you are not the intended
> >> recipient, you are notified that any dissemination,
> >> distribution or copying of this email is strictly prohibited.
> >> If you have received this email in error, please notify us
> >> immediately by return email or telephone and destroy the
> >> original message. - This mail is sent via Sony Asia Pacific
> >> Mail Gateway..
> >>
> >>
> >>
> >>
> >
> >
>
>
>
> --
> -----------------------
> Laura E. Hunter
> Principal, LHA Consulting Incorporated (http://www.lhaconsulting.com)
> Microsoft MVP, Directory Services
> (https://mvp.support.microsoft.com/profile/laura)
> Author, Active Directory Consultant's Field Guide
> (http://tinyurl.com/7f8ll)
> Author, Active Directory Cookbook, Third Edition
> (http://tinyurl.com/7kp3ct)
Sent to activedir@mail.activedir.org from Kevin R. James
Virus scanned by GFI MailSecurity 13/1/2010
| | | |
|
|