«
»

Upgrading a server – what would you do – part 2.

In my previous post I posed a problem where all the users were in the domain admins group and asked what dangers this could pose.  The responses included the fact that removing people from the domain admins group could cause issues with programs running on the local desktop if the previous setup relied on the administrative rights to allow users to be an administrator on the local pc.  This is a correct statement, but there is another gotcha that has yet to be revealed.

From my analysis of the network (after the gotcha was revealed) it was discovered that the previous administrators had been lazy and actually added everybody to all of the groups in  the domain so they wouldn’t have to worry about people not being able to do things. I removed them all from the domain administrators group to lock down security (they would need to be in the power users for some old applications to work)
So now you know all the relevant details that may lead you to the gotcha, what do you think is the problem?

DeliciousLinkedInPinterestShare

This entry was posted on Sunday, February 4th, 2007 at 5:58 pm and is filed under Andy Helsby, IT, Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

  • Martin

    Well, if they are running SBS2K3 I assume they are running Exchange exclusively for mail? That being said, a gotcha that would arise from removing DA privilages would be that you would have to explicitly permission any mailboxes (or folders within that mailbox) that users required access to. For example, group mailboxes, Executive calendar/contacts, Public Folders etc. That could be a HUGE pain trying to figure out who needs access to what!

    Am I close?

  • Martin

    Well, if they are running SBS2K3 I assume they are running Exchange exclusively for mail? That being said, a gotcha that would arise from removing DA privilages would be that you would have to explicitly permission any mailboxes (or folders within that mailbox) that users required access to. For example, group mailboxes, Executive calendar/contacts, Public Folders etc. That could be a HUGE pain trying to figure out who needs access to what!

    Am I close?

  • http://absoblogginlutely.net absoblogginlutely

    lol – that would be a nasty thing to have to do. Nope that wasn’t the thing that I experienced. Thanks for replying – hopefully it will have given some other system administrators something to think about.

  • http://absoblogginlutely.net Andy

    lol – that would be a nasty thing to have to do. Nope that wasn’t the thing that I experienced. Thanks for replying – hopefully it will have given some other system administrators something to think about.