[windows2000] Re: FW: Account operator privileges bet

• From: "Joe Shonk" <JShonk@xxxxxxxxxxxxxx>
• To: <windows2000@xxxxxxxxxxxxx>
• Date: Mon, 5 May 2003 13:55:14 -0700

Not so fast...  The original message is a little confusing..  anyways:  =
The Account Operator group is a domain group.  The AO can change =
passwords to AD accounts (including Domain Admins).  The AO cannot =
change the local user accounts unless that account/group has been given =
explict rights or added to a group that does have rights.

It's still a security risk, the AO can change a Domain Admin and log =
into the local machine as that account (Domain admins is generally a =
member of the local administrators group by default).

Even so, with AD,  AO rights are not necessary.  Just delegate rights to =
the users/groups to reset passwords.

Joe

-----Original Message-----
From: Costanzo, Ray [mailto:rcostanzo@xxxxxxxxxxx]
Sent: Monday, May 05, 2003 1:42 PM
To: windows2000@xxxxxxxxxxxxx
Subject: [windows2000] Re: FW: Account operator privileges bet



Yeah, network guy here is like, "Eh, that's all stored in the active
directory.  Here, let me show you.  Open the AD Users and Computers
snap-in, go to computers, right click that computer, and click manage.
Look at the admin group.  See, that's in the AD."  And I'm all like,
"Uh, no.  I'm connecting to that remote workstation to get this
information..."  I will be collecting a dollar.

Thank you all.

p.s.  Someone please get me a job where network people understand
fundamentals.

Ray at work

> -----Original Message-----
> From: Sullivan, Glenn [mailto:GSullivan@xxxxxxxxxxxxxx]=3D20
> Sent: Monday, May 05, 2003 3:26 PM
> To: 'windows2000@xxxxxxxxxxxxx'
> Subject: [windows2000] FW: Account operator privileges bet
>=3D20
>=3D20
>=3D20
> D'oh...
>=3D20
> False. =3D20
>=3D20
> (I read it wrong the first time)
>=3D20
> Let me make it clear: Josh CAN reset the other regular (and=3D20
> local admin) account's password.
>=3D20
> Sorry,
>=3D20
> Glenn Sullivan, MCSE+I  MCDBA
> David Clark Company Inc.
>=3D20
>=3D20
> -----Original Message-----
> From: Sullivan, Glenn=3D20
> Sent: Monday, May 05, 2003 3:24 PM
> To: 'windows2000@xxxxxxxxxxxxx'
> Subject: RE: [windows2000] Account operator privileges bet
>=3D20
>=3D20
> True.
>=3D20
> The domain knows nothing of his local group memberships. =3D20
> Local groups membership is applied by the local SAM, after=3D20
> the user has authenticated to the domain (in a domain environment).
>=3D20
> Settling another argument?  I'm going to have to ask for=3D20
> mediation fees pretty soon...
>=3D20
> Glenn Sullivan, MCSE+I  MCDBA
> David Clark Company Inc.
>=3D20
>=3D20
> -----Original Message-----
> From: Costanzo, Ray [mailto:rcostanzo@xxxxxxxxxxx]
> Sent: Monday, May 05, 2003 3:19 PM
> To: windows2000@xxxxxxxxxxxxx
> Subject: [windows2000] Account operator privileges bet
>=3D20
>=3D20
>=3D20
> Hi list,
>=3D20
> If anyone could settle a bet here...
>=3D20
> Domain user JOSH has account operator privileges in the=3D20
> domain.  JOSH is permitted to reset passwords for ordinary=3D20
> users and other users who do not have higher privileges in=3D20
> the domain (i.e. domain admin).  Now, TRUE OR FALSE.  JOSH=3D20
> does not have permissions to reset a DOMAIN user account=3D20
> (ordinary user) if that user has LOCAL ADMIN rights on his=3D20
> WINDOWS NT workstation.
>=3D20
> Thanks,
>=3D20
> Ray at work
>=3D20
>=3D20
> **********************************************************************
> This email and any files transmitted with it are confidential=3D20
> and intended solely for the use of the individual or entity=3D20
> to whom they are addressed. If you have received this email=3D20
> in error please notify the system manager.
>=3D20
> This footnote also confirms that this email message has been=3D20
> swept by MIMEsweeper for the presence of computer viruses.
>=3D20
www.mimesweeper.com
**********************************************************************


=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm

=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D=
3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D
=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D=3D3D
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm

==================================
To Unsubscribe, set digest or vacation
mode or view archives use the below link.

http://thethin.net/win2000list.cfm

Other related posts:

• » [windows2000] FW: Account operator privileges bet
• » [windows2000] Re: FW: Account operator privileges bet
• » [windows2000] Re: FW: Account operator privileges bet
• » [windows2000] Re: FW: Account operator privileges bet

1. Home
2. windows2000
3. Archive
4. 05-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---