a parte la prima domanda alla quale ha già risposto correttamente Fabrizio, le risposte alle altre due domande sono:
2) non possiamo definire utente più "potente" ma utente che ha permessi maggiori di un utente membro del gruppo Domain Admins è l'utente che sia anche membro del gruppo Enterprise Admins, del gruppo Schema Admins, ecc.ecc. secondo lo schema riportato
di seguito
|
Group or Account Name
|
Default Location
|
Description
|
|
Enterprise Admins
|
Users container
|
This group is automatically added to the Administrators group in every domain in the forest, providing complete access to the configuration of all domain controllers.
|
|
Schema Admins
|
Users container
|
This group has full administrative access to the Active Directory schema.
|
|
Administrators
|
Builtin container
|
This group has complete control over all domain controllers and all directory content stored in the domain, and it can change the membership of all administrative groups in the domain. It is the most powerful service
administrative group.
|
|
Domain Admins
|
Users container
|
This group is automatically added to the corresponding Administrators group in every domain in the forest. It has complete control over all domain controllers and all directory content stored in the domain and
it can modify the membership of all administrative accounts in the domain.
|
|
Server Operators
|
Builtin container
|
By default, this built-in group has no members. It can perform maintenance tasks, such as backup and restore, on domain controllers.
|
|
Account Operators
|
Builtin container
|
By default, this built-in group has no members. It can create and manage users and groups in the domain, but it cannot manage service administrator accounts. As a best practice, do not add members to this group,
and do not use it for any delegated administration.
|
|
Backup Operators
|
Builtin container
|
By default, this built-in group has no members. It can perform backup and restore operations on domain controllers.
|
|
DS Restore Mode Administrator
|
Not stored in Active Directory
|
This special account is created during the Active Directory installation process, and it is not the same as the Administrator account in the Active Directory database. This account is only used to start the domain
controller in Directory Services Restore Mode. In Directory Services Restore Mode, this account has full access to the system and all files on the domain controller.
|
ref: https://technet.microsoft.com/en-us/library/cc700835.aspx
3) l'appplicazione delle group policies sulle macchine di dominio viene eseguita
a) con le credenziali di localsystem quando si applicano le computer policies ossia allo startup e allo shutdown
b) con le credenziali dell'utente loggato quando si applicano le user policies ossia al login e al logout
ciao.
Edoardo Benussi
Microsoft MVP - Cloud and Datacenter Management
edo[at]mvps[dot]org
