I am trying to limit scope, and there are things that I want the new admin user to be able to do, and others that I don't. Changing TS config is one thing that I would like them to be able to do; acting as part of the operating system, I don't.
It's an un-attended install for us, so ghosting the server I don't care too much about, I just rebuild the box, drop a couple of software components on it, re-harden it, and drop it back off into the wild. I can have it back within a day, and that's good enough for the business.
Berny
2008/6/23 Joe Shonk <joe.shonk@gmail.com>:
Is that really necessary? It is not recommended (nor possible via normal means) to disable the administrator's account. If you're worried about someone getting in the machine and having admin rights then keep the scope of the administrators group to the local administrator and keep a ghost image of the server for easy recovery.
JoeOn Mon, Jun 23, 2008 at 5:15 AM, Berny Stapleton <berny@technology.net.au> wrote:
The administrator account on this host is disabled, and I am trying to replace it. Effectively, I want the Administrator SID to be useless, unfortunately from what I have seen so far is that Windows is hard coded in places to use the Administrator SID, so this is going to be impossible. I would like to get as close to it as possible though.
The only way I can get the admin account back now is to boot off a CD and modify the registry offline.
Berny2008/6/23 Joe Shonk <joe.shonk@gmail.com>:
Run with elevated rights?
JoeOn Mon, Jun 23, 2008 at 4:23 AM, Berny Stapleton <berny@technology.net.au> wrote:Hi all,
Does anyone know how to allow permissions to modify / configure the Terminal Services Configuration without adding someone to the Administrators group?
I have given the user Full Control on the permissions tab, but they can't modify the configuration...
Thanks,
Berny
No comments:
Post a Comment