|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How to alter ADAM administrative rights?Sorry if this question has been answered previously, but I couldn't find this anywhere on these forums (or in a straight-forward form anywhere on the 'net). One of our customers has an ADAM instance set up on a server, and the instance's administrative account was set to the "Currently logged on user: <Domain>\<user>". By "administrative account", I mean the one that is set on the "ADAM Administrators - you can specify the user or group that will have administrative priviledges for this instance of ADAM" page of the "Create an ADAM instance" wizard. We want to change the administrative account to be an Active Directory group (I know this works fine, I've done it on a test environment), such that we can add/remove individuals from this group to give them admin privs to the ADAM resource. Can anyone advise how this is done? I've found plenty of articles about the dsacls.exe utility, but none seem to relate directly to this problem, and I'm not ADAM-savvy enough to join the dots to make the required changes. I've got as far as viewing which roles belong to the ACLs, but can't see how to view (or modify) the members of a particular role (in particular the CN=Administrators role). I've had a look at this role via ADAM-ADSI Edit, and can see a GUID looking ID as a member, but if I add a new AD account it appears in a different form so I'm not sure I'm in the right place or on the right track with this.... Any help appreciated! Thanks people, Cheers, Sep. -- sepster ------------------------------------------------------------------------ sepster's Profile: http://forums.techarena.in/members/sepster.htm View this thread: http://forums.techarena.in/active-directory/1088830.htmhttp://forums.techarena.in Normally, I find it most useful to make the local built in administrators
group on the server be the ADAM admin. It is pretty natural to want the administrator to be an admin in ADAM and it is also then easy to add a domain group to local admins. In either of these cases, you are adding a Windows security principal to an ADAM group, so that is represented in ADAM as a foreign security principal object (the thing with a DN that contains a SID for the CN like CN=S-1-5-xxx). In ADAM ADSI Edit, you can use the button to add a Windows user to add either your domain group or the local admin group. With a tool like LDP, you need to add the object to the group using the SID DN syntax which looks like: <SID=S-1-5-xxxx> For builtin admins, this is always: <SID=S-1-5-32-544> You don't want to use DSACLS for this as you aren't modifying a security descriptor. You are just modifying the membership of a group. ADAM ADSI Edit is probably the easiest tool to use for this purpose. Just don't be fooled by the FSP object that gets created as a result of adding the Windows users. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net "sepster" <sepster.3kjgrb@DoNotSpam.com> wrote in message news:sepster.3kjgrb@DoNotSpam.com... > > Hi All, > > Sorry if this question has been answered previously, but I couldn't > find this anywhere on these forums (or in a straight-forward form > anywhere on the 'net). > > One of our customers has an ADAM instance set up on a server, and the > instance's administrative account was set to the "Currently logged on > user: <Domain>\<user>". > > By "administrative account", I mean the one that is set on the "ADAM > Administrators - you can specify the user or group that will have > administrative priviledges for this instance of ADAM" page of the > "Create an ADAM instance" wizard. > > We want to change the administrative account to be an Active Directory > group (I know this works fine, I've done it on a test environment), such > that we can add/remove individuals from this group to give them admin > privs to the ADAM resource. > > Can anyone advise how this is done? > > I've found plenty of articles about the dsacls.exe utility, but none > seem to relate directly to this problem, and I'm not ADAM-savvy enough > to join the dots to make the required changes. > > I've got as far as viewing which roles belong to the ACLs, but can't > see how to view (or modify) the members of a particular role (in > particular the CN=Administrators role). > > I've had a look at this role via ADAM-ADSI Edit, and can see a GUID > looking ID as a member, but if I add a new AD account it appears in a > different form so I'm not sure I'm in the right place or on the right > track with this.... > > Any help appreciated! > > Thanks people, > > Cheers, > Sep. > > > -- > sepster > ------------------------------------------------------------------------ > sepster's Profile: http://forums.techarena.in/members/sepster.htm > View this thread: http://forums.techarena.in/active-directory/1088830.htm > > http://forums.techarena.in > Hi Joe,
Thanks for your response.
After my initial post, I had tested adding the AD group to the ADAM
group via ADAM-AdsiEdit, and it seemed to work as I'd hoped... but I
didn't want to rely on this as being the "correct" way to do it without
some confirmation as I wasn't sure if I had introduced any problems/side
effects/security issues by doing it this way.
As for confirmation, you've just given me that, thanks very much!
Your response raises a couple more questions... I hope you're happy to
fill in some further gaps for me?
1. I agree with your recommendation re adding the local administrators
group to the ADAM administrators group, although policy here is that we
wouldn't then add a domain group (other than domain admins, server
admins, etc) to the local admins group. So, I'll add the local
administrators group, and our specific ADAM instance's administration
(global/domain) group. Does that sound reasonable?
2. I have seen MS articles suggesting best practice is to NOT add the
builtin groups. But I don't think I've seen any practical example of
why we shouldn't do this (or at least, none that I've understood!).
Based on your recommendation (and my agreement with it), it looks like
we don't necessarily agree with the MS recommendation.
Are you able to provide any advice as to why I might or might not want
to add builtin groups?
If you don't have time to address my further questions, no worries,
you've got me out of a bind already. The rest is just curiousity about
an area of ADAM I've not had much to do with to date and am keen to
learn.
Thanks again for your helpful reply mate, much appreciated.
Cheers,
Sep.
--
sepster
------------------------------------------------------------------------
sepster's Profile: http://forums.techarena.in/members/sepster.htm
View this thread: http://forums.techarena.in/active-directory/1088830.htmhttp://forums.techarena.in
Re: 1--yes, this makes sense. Having local admins and your specific domain
group both be members of the ADAM admin role is probably the way to go if you do not want the ADAM admins to be local admins on the box as well. There is no problem with doing this. I'm not familiar with recommendations against adding the built in groups and obviously I don't agree with this guidance. :) Do you have a reference for that? I also especially a fan of using the "authenticated users" built in principal in the readers role as well as it lets anyone who can bind read data in the directory. This is frequently the kind of behavior you would want and is also extremely easy to manage as you don't need to constantly add users to the readers role. Otherwise, it becomes very difficult to manage the readers role if you plan to generate many ADAM users and wish to have them be readers. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net "sepster" <sepster.3kjrvb@DoNotSpam.com> wrote in message news:sepster.3kjrvb@DoNotSpam.com... > > Hi Joe, > > Thanks for your response. > > After my initial post, I had tested adding the AD group to the ADAM > group via ADAM-AdsiEdit, and it seemed to work as I'd hoped... but I > didn't want to rely on this as being the "correct" way to do it without > some confirmation as I wasn't sure if I had introduced any problems/side > effects/security issues by doing it this way. > > As for confirmation, you've just given me that, thanks very much! > > Your response raises a couple more questions... I hope you're happy to > fill in some further gaps for me? > > 1. I agree with your recommendation re adding the local administrators > group to the ADAM administrators group, although policy here is that we > wouldn't then add a domain group (other than domain admins, server > admins, etc) to the local admins group. So, I'll add the local > administrators group, and our specific ADAM instance's administration > (global/domain) group. Does that sound reasonable? > > 2. I have seen MS articles suggesting best practice is to NOT add the > builtin groups. But I don't think I've seen any practical example of > why we shouldn't do this (or at least, none that I've understood!). > Based on your recommendation (and my agreement with it), it looks like > we don't necessarily agree with the MS recommendation. > Are you able to provide any advice as to why I might or might not want > to add builtin groups? > > > If you don't have time to address my further questions, no worries, > you've got me out of a bind already. The rest is just curiousity about > an area of ADAM I've not had much to do with to date and am keen to > learn. > > Thanks again for your helpful reply mate, much appreciated. > > Cheers, > Sep. > > > -- > sepster > ------------------------------------------------------------------------ > sepster's Profile: http://forums.techarena.in/members/sepster.htm > View this thread: http://forums.techarena.in/active-directory/1088830.htm > > http://forums.techarena.in > Re: builtin groups. The ADAM help file says not to use them for the
Administrator account and not to use them permissions assignments [1]. When I have asked the experts about this the answer was that use of BA in Administrator role was a management decision, when ADAM was new, for reasons beyond recall. Having seen ADAM in the field I do not think anyone would recommend against this (BA as ADAM administrators) indeed in can be vital for access when domain is unavailable for a ADAM member server, it also gives you portability of ADAM instances from production to test. Lee Flight [1] http://technet.microsoft.com/en-us/library/cc782484.aspx I obviously never read those docs. :) I'm glad we both agree that this is
probably not good advice and there seems to be no justification supporting it. Perhaps we should enter a doc bug and try to get this changed? Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net "Lee Flight" <l**@le.ac.uk-nospam> wrote in message news:%236Xcg0HYJHA.2068@TK2MSFTNGP03.phx.gbl... > Re: builtin groups. The ADAM help file says not to use them for the > Administrator > account and not to use them permissions assignments [1]. When I have asked > the > experts about this the answer was that use of BA in Administrator role was > a > management decision, when ADAM was new, for reasons beyond recall. Having > seen ADAM in the field I do not think anyone would recommend against this > (BA as ADAM administrators) indeed in can be vital for access when domain > is unavailable for a ADAM member server, it also gives you portability of > ADAM > instances from production to test. > > Lee Flight > > [1] > http://technet.microsoft.com/en-us/library/cc782484.aspx 
Other interesting topics
Rebuid a PDC
Active Directory Logon to attribute AD fail resulting in ADAM Configuration set unaccessible. Help! Assigning roles to users from trusted domains ADAM Binding DHCP servers Limit access to Active Directory Users and Computers domain controller netdiag outputs messages regarding DNS server IP of 0.0.0.0 Security Log Fills with 861 errors on New Domain Controller |
|||||||||||||||||||||||
