22 iunie 2012 12:42
Domain servers 2008R2 Sp1 functionallity 2008R2
I have vendor that states that a service account needs to be a member of the domain admin's group I am totally against that. This is what he say's it does:
To add to below, DC Agent doesn't use any writing ability whatsoever. It does not change passwords, add new users or make/modify group objects.
DC Agent only does two things:
- DC Polling (which uses a remote procedure call to the domain controllers to use the command "net session".
- Workstation polling to look at registry on workstations.
User Service uses NetUserGetGroups, which requires domain administrative rights.
I took a look at
http://msdn.microsoft.com/en-us/library/windows/desktop/aa370653(v=vs.85).aspx which lead me to http://msdn.microsoft.com/en-us/library/windows/desktop/aa370891(v=vs.85).aspx & http://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx It doesn't specify that it needs domain admin rights but it also confuses me on what rights it needs.
What access does this account need to pull the information needed?
22 iunie 2012 12:44The title is a little off my orginal question was how to create a read olny domain admin account but decided to ask what specfic access this account really needs.
22 iunie 2012 12:53
There is no Read only domain administrator account in AD. Members of Domain administrator account will be having more powerful permissions in your Domain. So it is bad practice to add lot of user accounts to domain admin groups.
By default all domain users will be having read access to Active directory. They can check the user account/computers accounts/GPO etc in your AD.
I dont understand what you are trying to accomplish here. What your Vendor needs to do in your domain?
MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
22 iunie 2012 13:19
Thanks for the quick reply, I am going to see if I can probe them for more information because like you I am not understanding what they are trying to do with the account. I'll keep you posted they are pretty quick to reply because they strongly believe it needs to be an domain admin or enterprise admin.
22 iunie 2012 13:56
the vendors mostly make it that way so they don't have to program "good" software so that domain users are able to run them. Depending on the purpose of the software i know that some backup programs for example require an account with full access to work correct for getting into the systems.
You may think about using a local administrator account instead using the domain admins.
Best option of course is to find all requried permissions that are really needed. ProcessMonitor may help you to monitor the software during startup and running to see on which folders/registry keys access is really required.
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.