none
Read Only Domain Admin Account

Răspunsuri

  • There is no Read only domain administrator account in AD. Members of Domain administrator account will be having more powerful permissions in your Domain. So it is bad practice to add lot of user accounts to domain admin groups.

    By default all domain users will be having read access to Active directory. They can check the user account/computers accounts/GPO etc in your AD.

    I dont understand what you are trying to accomplish here. What your Vendor needs to do in your domain?

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    22 iunie 2012 12:53
  • Hello,

    the vendors mostly make it that way so they don't have to program "good" software so that domain users are able to run them. Depending on the purpose of the software i know that some backup programs for example require an account with full access to work correct for getting into the systems.

    You may think about using a local administrator account instead using the domain admins.

    Best option of course is to find all requried permissions that are really needed. ProcessMonitor may help you to monitor the software during startup and running to see on which folders/registry keys access is really required.

    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    22 iunie 2012 13:56

Toate mesajele

  • The title is a little off my orginal question was how to create a read olny domain admin account but decided to ask what specfic access this account really needs.

    AilBoogie

    22 iunie 2012 12:44
  • There is no Read only domain administrator account in AD. Members of Domain administrator account will be having more powerful permissions in your Domain. So it is bad practice to add lot of user accounts to domain admin groups.

    By default all domain users will be having read access to Active directory. They can check the user account/computers accounts/GPO etc in your AD.

    I dont understand what you are trying to accomplish here. What your Vendor needs to do in your domain?

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    22 iunie 2012 12:53
  • Thanks for the quick reply, I am going to see if I can probe them for more information because like you I am not understanding what they are trying to do with the account.  I'll keep you posted they are pretty quick to reply because they strongly believe it needs to be an domain admin or enterprise admin.


    AilBoogie

    22 iunie 2012 13:19
  • Hello,

    the vendors mostly make it that way so they don't have to program "good" software so that domain users are able to run them. Depending on the purpose of the software i know that some backup programs for example require an account with full access to work correct for getting into the systems.

    You may think about using a local administrator account instead using the domain admins.

    Best option of course is to find all requried permissions that are really needed. ProcessMonitor may help you to monitor the software during startup and running to see on which folders/registry keys access is really required.

    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    22 iunie 2012 13:56