Giving admins Local Admin to DC's not Domain Admins

B

Brodieman

Hi guys

I have a requirement to be able to let certain sets of administrators the
ability to login to domain controllers with out permissions over the whole
domain.

Althought I can give the users PowerUser or LocalLogon rights via making a
domain security group a member of the PowerUser or LocalLogon group there
does not appear to be a local admin group on DCs.

Can you with Server 2003 give a user just local admin to a DC without DA
rights???
 
S

S. Pidgorny

No. You can grant permission to log on locally (group policy - user righs
assignments) and via remote desktop, and other rights and permissions, but
there's no such thing as local administrators on DCs.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Brodieman" <Brodieman@discussions.microsoft.com> wrote in message
news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...
> Hi guys
>
> I have a requirement to be able to let certain sets of administrators the
> ability to login to domain controllers with out permissions over the whole
> domain.
>
> Althought I can give the users PowerUser or LocalLogon rights via making a
> domain security group a member of the PowerUser or LocalLogon group there
> does not appear to be a local admin group on DCs.
>
> Can you with Server 2003 give a user just local admin to a DC without DA
> rights???
 
R

Roger Abell [MVP]

"Brodieman" <Brodieman@discussions.microsoft.com> wrote in message
news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...
> Hi guys
>
> I have a requirement to be able to let certain sets of administrators the
> ability to login to domain controllers with out permissions over the whole
> domain.
>

Why? In general it is a poor practice to have DCs logged into except
when necessary by domain admins. That's a generality of course.
Most manamgement task can be accomplished by delegated users by
use of remote admin tools.

That said, "a set of administrators" means what? Administrators where?

> Althought I can give the users PowerUser or LocalLogon rights via making a

Do not give Power User membership. If you really trust someone you might
but the line between Power User and Domain Admin membership is thin as
it is within Power User grants to elevate themselves if they really want.

Local Logon and Users membership should be enough, unless you mean
log in with remote desktop in which case use the Remote Desktop Users
group instead of the logon locally user right.

> domain security group a member of the PowerUser or LocalLogon group there
> does not appear to be a local admin group on DCs.
>

LocalLogon group must be something custom defined on your machine(s)
so I cannot say what it does, but the logon locally user right (which might
be granted to your LocalLogon group) is possibly enough to enable console
login (assuming they are one way or another in Users). This holds for DCs
as well as non-DC servers and workstations.

> Can you with Server 2003 give a user just local admin to a DC without DA
> rights???

Yes. But the distinction is just as thin as for Power Users.
One just uses the Administrators group (in your domain in AD by default in
the Built-in container). However, you really, really should aim at using
the domain group that is used to make this set of admins Administrators on
those non-DC machines to grant to them the rights needed to do their tasks
with the remote administration tools. Failing the ability to convince
people
that those tasks do not create a "requirement" to all DC local login (and/or
remote desktop login), then use that group to grant Users membership and
the log on locally user right (make sure you do that in a GPO linked to the
DC OU, not to the domain) and verify they are, one way or another, members
of Users. You probably also need to make grants to that group so that they
may do whatever the task behind the requirement is.

So, that would be a way to do it. But resist! Aim to just delegate to
their
(not otherwise elevated) accounts and have them use remote tools.

Roger
 
B

Brodieman

Thanks you for that, i guess that might be the case.

"S. Pidgorny <MVP>" wrote:

> No. You can grant permission to log on locally (group policy - user righs
> assignments) and via remote desktop, and other rights and permissions, but
> there's no such thing as local administrators on DCs.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Brodieman" <Brodieman@discussions.microsoft.com> wrote in message
> news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...
> > Hi guys
> >
> > I have a requirement to be able to let certain sets of administrators the
> > ability to login to domain controllers with out permissions over the whole
> > domain.
> >
> > Althought I can give the users PowerUser or LocalLogon rights via making a
> > domain security group a member of the PowerUser or LocalLogon group there
> > does not appear to be a local admin group on DCs.
> >
> > Can you with Server 2003 give a user just local admin to a DC without DA
> > rights???
>
>
>
 
S

Shenan Stanley

Brodieman wrote:
> I have a requirement to be able to let certain sets of
> administrators the ability to login to domain controllers with
> out permissions over the whole domain.
>
> Althought I can give the users PowerUser or LocalLogon rights via
> making a domain security group a member of the PowerUser or
> LocalLogon group there does not appear to be a local admin group
> on DCs.
>
> Can you with Server 2003 give a user just local admin to a DC
> without DA rights???

S. Pidgorny <MVP> wrote:
> No. You can grant permission to log on locally (group policy -
> user righs assignments) and via remote desktop, and other rights
> and permissions, but there's no such thing as local administrators
> on DCs.

Brodieman wrote:
> Thanks you for that, i guess that might be the case.


No need for guessing.
Domain Controllers do not have local accounts.

http://windowsitpro.com/article/art...-promote-a-server-to-a-domain-controller.html

http://techrepublic.com.com/5208-7343-0.html?forumID=102&threadID=268861&start=0

Good luck!

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
D

Dan

Exactly, Roger. You give people what they need to know on an as needed basis
and only as much power as you are comfortable with giving them. This is
essential and if people need more information then the question should always
be why and people seem to easily forget that their work machines are not for
personnel use and every activity from work is monitored.
It is bad enough in this day and age that it is becoming increasingly
difficult to have individual liberties and freedoms and hopefully the States
will never become the society as seen by George Orwell's 1984 but we
unfortunately seem to be headed quickly down that path but it is not here
yet, thankfully. The importance of maintaining a very limited knowledge
structure is getting more and more essential I am learning to effectively
work within the electronics industry and now I am most intereted in the
Desktop and User level and not too interested in networking because it is too
complex for my brain to fully grasp.
The question of user trust and knowledge is essential and I have learned too
many lessons the hard way from being burned. <grin and bear it and at least I
can still smile about the most unfortunate experiences I have encountered ---
thanks to great mvp's like you, Robear and Chris Quirke and many others ---
too numerous to name them all>

"Roger Abell [MVP]" wrote:

> "Brodieman" <Brodieman@discussions.microsoft.com> wrote in message
> news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...
> > Hi guys
> >
> > I have a requirement to be able to let certain sets of administrators the
> > ability to login to domain controllers with out permissions over the whole
> > domain.
> >
>
> Why? In general it is a poor practice to have DCs logged into except
> when necessary by domain admins. That's a generality of course.
> Most manamgement task can be accomplished by delegated users by
> use of remote admin tools.
>
> That said, "a set of administrators" means what? Administrators where?
>
> > Althought I can give the users PowerUser or LocalLogon rights via making a
>
> Do not give Power User membership. If you really trust someone you might
> but the line between Power User and Domain Admin membership is thin as
> it is within Power User grants to elevate themselves if they really want.
>
> Local Logon and Users membership should be enough, unless you mean
> log in with remote desktop in which case use the Remote Desktop Users
> group instead of the logon locally user right.
>
> > domain security group a member of the PowerUser or LocalLogon group there
> > does not appear to be a local admin group on DCs.
> >
>
> LocalLogon group must be something custom defined on your machine(s)
> so I cannot say what it does, but the logon locally user right (which might
> be granted to your LocalLogon group) is possibly enough to enable console
> login (assuming they are one way or another in Users). This holds for DCs
> as well as non-DC servers and workstations.
>
> > Can you with Server 2003 give a user just local admin to a DC without DA
> > rights???
>
> Yes. But the distinction is just as thin as for Power Users.
> One just uses the Administrators group (in your domain in AD by default in
> the Built-in container). However, you really, really should aim at using
> the domain group that is used to make this set of admins Administrators on
> those non-DC machines to grant to them the rights needed to do their tasks
> with the remote administration tools. Failing the ability to convince
> people
> that those tasks do not create a "requirement" to all DC local login (and/or
> remote desktop login), then use that group to grant Users membership and
> the log on locally user right (make sure you do that in a GPO linked to the
> DC OU, not to the domain) and verify they are, one way or another, members
> of Users. You probably also need to make grants to that group so that they
> may do whatever the task behind the requirement is.
>
> So, that would be a way to do it. But resist! Aim to just delegate to
> their
> (not otherwise elevated) accounts and have them use remote tools.
>
> Roger
>
>
>
 
S

Steve Riley [MSFT]

Your statement:

> It is bad enough in this day and age that it is becoming increasingly
> difficult to have individual liberties and freedoms and hopefully the
> States
> will never become the society as seen by George Orwell's 1984 but we
> unfortunately seem to be headed quickly down that path but it is not here
> yet, thankfully.

Is directly contradicted by your next statement:

> The importance of maintaining a very limited knowledge
> structure is getting more and more essential

Do you not see this?


--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Dan" <Dan@discussions.microsoft.com> wrote in message
news:4C1425A8-925A-4F2C-8C06-BA4324B8263E@microsoft.com...
> Exactly, Roger. You give people what they need to know on an as needed
> basis
> and only as much power as you are comfortable with giving them. This is
> essential and if people need more information then the question should
> always
> be why and people seem to easily forget that their work machines are not
> for
> personnel use and every activity from work is monitored.
> It is bad enough in this day and age that it is becoming increasingly
> difficult to have individual liberties and freedoms and hopefully the
> States
> will never become the society as seen by George Orwell's 1984 but we
> unfortunately seem to be headed quickly down that path but it is not here
> yet, thankfully. The importance of maintaining a very limited knowledge
> structure is getting more and more essential I am learning to effectively
> work within the electronics industry and now I am most intereted in the
> Desktop and User level and not too interested in networking because it is
> too
> complex for my brain to fully grasp.
> The question of user trust and knowledge is essential and I have learned
> too
> many lessons the hard way from being burned. <grin and bear it and at
> least I
> can still smile about the most unfortunate experiences I have
> encountered ---
> thanks to great mvp's like you, Robear and Chris Quirke and many
> others ---
> too numerous to name them all>
>
> "Roger Abell [MVP]" wrote:
>
>> "Brodieman" <Brodieman@discussions.microsoft.com> wrote in message
>> news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...
>> > Hi guys
>> >
>> > I have a requirement to be able to let certain sets of administrators
>> > the
>> > ability to login to domain controllers with out permissions over the
>> > whole
>> > domain.
>> >
>>
>> Why? In general it is a poor practice to have DCs logged into except
>> when necessary by domain admins. That's a generality of course.
>> Most manamgement task can be accomplished by delegated users by
>> use of remote admin tools.
>>
>> That said, "a set of administrators" means what? Administrators where?
>>
>> > Althought I can give the users PowerUser or LocalLogon rights via
>> > making a
>>
>> Do not give Power User membership. If you really trust someone you might
>> but the line between Power User and Domain Admin membership is thin as
>> it is within Power User grants to elevate themselves if they really want.
>>
>> Local Logon and Users membership should be enough, unless you mean
>> log in with remote desktop in which case use the Remote Desktop Users
>> group instead of the logon locally user right.
>>
>> > domain security group a member of the PowerUser or LocalLogon group
>> > there
>> > does not appear to be a local admin group on DCs.
>> >
>>
>> LocalLogon group must be something custom defined on your machine(s)
>> so I cannot say what it does, but the logon locally user right (which
>> might
>> be granted to your LocalLogon group) is possibly enough to enable console
>> login (assuming they are one way or another in Users). This holds for
>> DCs
>> as well as non-DC servers and workstations.
>>
>> > Can you with Server 2003 give a user just local admin to a DC without
>> > DA
>> > rights???
>>
>> Yes. But the distinction is just as thin as for Power Users.
>> One just uses the Administrators group (in your domain in AD by default
>> in
>> the Built-in container). However, you really, really should aim at using
>> the domain group that is used to make this set of admins Administrators
>> on
>> those non-DC machines to grant to them the rights needed to do their
>> tasks
>> with the remote administration tools. Failing the ability to convince
>> people
>> that those tasks do not create a "requirement" to all DC local login
>> (and/or
>> remote desktop login), then use that group to grant Users membership and
>> the log on locally user right (make sure you do that in a GPO linked to
>> the
>> DC OU, not to the domain) and verify they are, one way or another,
>> members
>> of Users. You probably also need to make grants to that group so that
>> they
>> may do whatever the task behind the requirement is.
>>
>> So, that would be a way to do it. But resist! Aim to just delegate to
>> their
>> (not otherwise elevated) accounts and have them use remote tools.
>>
>> Roger
>>
>>
>>
 
D

Dan

It was early in the morning so the brain was not working fully. I will read
my post later and analyze it and thanks for the feedback, Steve. I
appreciate it.

"Steve Riley [MSFT]" wrote:

> Your statement:
>
> > It is bad enough in this day and age that it is becoming increasingly
> > difficult to have individual liberties and freedoms and hopefully the
> > States
> > will never become the society as seen by George Orwell's 1984 but we
> > unfortunately seem to be headed quickly down that path but it is not here
> > yet, thankfully.
>
> Is directly contradicted by your next statement:
>
> > The importance of maintaining a very limited knowledge
> > structure is getting more and more essential
>
> Do you not see this?
>
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:4C1425A8-925A-4F2C-8C06-BA4324B8263E@microsoft.com...
> > Exactly, Roger. You give people what they need to know on an as needed
> > basis
> > and only as much power as you are comfortable with giving them. This is
> > essential and if people need more information then the question should
> > always
> > be why and people seem to easily forget that their work machines are not
> > for
> > personnel use and every activity from work is monitored.
> > It is bad enough in this day and age that it is becoming increasingly
> > difficult to have individual liberties and freedoms and hopefully the
> > States
> > will never become the society as seen by George Orwell's 1984 but we
> > unfortunately seem to be headed quickly down that path but it is not here
> > yet, thankfully. The importance of maintaining a very limited knowledge
> > structure is getting more and more essential I am learning to effectively
> > work within the electronics industry and now I am most intereted in the
> > Desktop and User level and not too interested in networking because it is
> > too
> > complex for my brain to fully grasp.
> > The question of user trust and knowledge is essential and I have learned
> > too
> > many lessons the hard way from being burned. <grin and bear it and at
> > least I
> > can still smile about the most unfortunate experiences I have
> > encountered ---
> > thanks to great mvp's like you, Robear and Chris Quirke and many
> > others ---
> > too numerous to name them all>
> >
> > "Roger Abell [MVP]" wrote:
> >
> >> "Brodieman" <Brodieman@discussions.microsoft.com> wrote in message
> >> news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...
> >> > Hi guys
> >> >
> >> > I have a requirement to be able to let certain sets of administrators
> >> > the
> >> > ability to login to domain controllers with out permissions over the
> >> > whole
> >> > domain.
> >> >
> >>
> >> Why? In general it is a poor practice to have DCs logged into except
> >> when necessary by domain admins. That's a generality of course.
> >> Most manamgement task can be accomplished by delegated users by
> >> use of remote admin tools.
> >>
> >> That said, "a set of administrators" means what? Administrators where?
> >>
> >> > Althought I can give the users PowerUser or LocalLogon rights via
> >> > making a
> >>
> >> Do not give Power User membership. If you really trust someone you might
> >> but the line between Power User and Domain Admin membership is thin as
> >> it is within Power User grants to elevate themselves if they really want.
> >>
> >> Local Logon and Users membership should be enough, unless you mean
> >> log in with remote desktop in which case use the Remote Desktop Users
> >> group instead of the logon locally user right.
> >>
> >> > domain security group a member of the PowerUser or LocalLogon group
> >> > there
> >> > does not appear to be a local admin group on DCs.
> >> >
> >>
> >> LocalLogon group must be something custom defined on your machine(s)
> >> so I cannot say what it does, but the logon locally user right (which
> >> might
> >> be granted to your LocalLogon group) is possibly enough to enable console
> >> login (assuming they are one way or another in Users). This holds for
> >> DCs
> >> as well as non-DC servers and workstations.
> >>
> >> > Can you with Server 2003 give a user just local admin to a DC without
> >> > DA
> >> > rights???
> >>
> >> Yes. But the distinction is just as thin as for Power Users.
> >> One just uses the Administrators group (in your domain in AD by default
> >> in
> >> the Built-in container). However, you really, really should aim at using
> >> the domain group that is used to make this set of admins Administrators
> >> on
> >> those non-DC machines to grant to them the rights needed to do their
> >> tasks
> >> with the remote administration tools. Failing the ability to convince
> >> people
> >> that those tasks do not create a "requirement" to all DC local login
> >> (and/or
> >> remote desktop login), then use that group to grant Users membership and
> >> the log on locally user right (make sure you do that in a GPO linked to
> >> the
> >> DC OU, not to the domain) and verify they are, one way or another,
> >> members
> >> of Users. You probably also need to make grants to that group so that
> >> they
> >> may do whatever the task behind the requirement is.
> >>
> >> So, that would be a way to do it. But resist! Aim to just delegate to
> >> their
> >> (not otherwise elevated) accounts and have them use remote tools.
> >>
> >> Roger
> >>
> >>
> >>
 
S

Steve Riley [MSFT]

Heh, don't over-analyze... I just thought it was curious that first you
express concern (rightly) over loss of individual and collective liberties,
nut then you stress that limiting access to knowledge is important. That's
where the contradiction lies: it's the lack of knowledge (and passion)
that's allowing our civilization to erode. Only when people become _more_
knowledgeable will we start to undo some of the damage. More knowledge is
always better.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Dan" <Dan@discussions.microsoft.com> wrote in message
news:A613C557-F8DC-4964-BEFD-3D63BB047B15@microsoft.com...
> It was early in the morning so the brain was not working fully. I will
> read
> my post later and analyze it and thanks for the feedback, Steve. I
> appreciate it.
>
> "Steve Riley [MSFT]" wrote:
>
>> Your statement:
>>
>> > It is bad enough in this day and age that it is becoming increasingly
>> > difficult to have individual liberties and freedoms and hopefully the
>> > States
>> > will never become the society as seen by George Orwell's 1984 but we
>> > unfortunately seem to be headed quickly down that path but it is not
>> > here
>> > yet, thankfully.
>>
>> Is directly contradicted by your next statement:
>>
>> > The importance of maintaining a very limited knowledge
>> > structure is getting more and more essential
>>
>> Do you not see this?
>>
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:4C1425A8-925A-4F2C-8C06-BA4324B8263E@microsoft.com...
>> > Exactly, Roger. You give people what they need to know on an as needed
>> > basis
>> > and only as much power as you are comfortable with giving them. This
>> > is
>> > essential and if people need more information then the question should
>> > always
>> > be why and people seem to easily forget that their work machines are
>> > not
>> > for
>> > personnel use and every activity from work is monitored.
>> > It is bad enough in this day and age that it is becoming increasingly
>> > difficult to have individual liberties and freedoms and hopefully the
>> > States
>> > will never become the society as seen by George Orwell's 1984 but we
>> > unfortunately seem to be headed quickly down that path but it is not
>> > here
>> > yet, thankfully. The importance of maintaining a very limited
>> > knowledge
>> > structure is getting more and more essential I am learning to
>> > effectively
>> > work within the electronics industry and now I am most intereted in the
>> > Desktop and User level and not too interested in networking because it
>> > is
>> > too
>> > complex for my brain to fully grasp.
>> > The question of user trust and knowledge is essential and I have
>> > learned
>> > too
>> > many lessons the hard way from being burned. <grin and bear it and at
>> > least I
>> > can still smile about the most unfortunate experiences I have
>> > encountered ---
>> > thanks to great mvp's like you, Robear and Chris Quirke and many
>> > others ---
>> > too numerous to name them all>
 
R

Roger Abell [MVP]

"Shenan Stanley" <newshelper@gmail.com> wrote in message
news:OlYPNT4$IHA.1184@TK2MSFTNGP04.phx.gbl...
> Brodieman wrote:
>> I have a requirement to be able to let certain sets of
>> administrators the ability to login to domain controllers with
>> out permissions over the whole domain.
>>
>> Althought I can give the users PowerUser or LocalLogon rights via
>> making a domain security group a member of the PowerUser or
>> LocalLogon group there does not appear to be a local admin group
>> on DCs.
>>
>> Can you with Server 2003 give a user just local admin to a DC
>> without DA rights???
>
> S. Pidgorny <MVP> wrote:
>> No. You can grant permission to log on locally (group policy -
>> user righs assignments) and via remote desktop, and other rights
>> and permissions, but there's no such thing as local administrators
>> on DCs.
>
> Brodieman wrote:
>> Thanks you for that, i guess that might be the case.
>
>
> No need for guessing.
> Domain Controllers do not have local accounts.
>
> http://windowsitpro.com/article/art...-promote-a-server-to-a-domain-controller.html
>
> http://techrepublic.com.com/5208-7343-0.html?forumID=102&threadID=268861&start=0
>
> Good luck!
>
> --
> Shenan Stanley
> MS-MVP
> --

While that is true, that there is no local SAM of account during normal
DC operations, the requirement poster stated, to allow them to be
admins on the DCs without being admins over active directory is
satisfied by the Administrators group of the domain. Accounts in
that group are pretty much just domain users that also have admin
(i.e. server admin) rights when logged into a DC. They do not have
extra permissions in AD or on joined machines.

Roger
 
R

Roger Abell [MVP]

Hey Steve,

It seems we both choked a little when we got to that point.
Then I thought, maybe the consistent meaning is found by adding
a "by whom", limiting who knows.
I guess there is always a risk when one censors (limits knowledge).
If I recall, there was an uproar in the first Nixon administration when
a project was started to consolidate the 100+ federal data stores (113
if I recall correctly) that average American had info in, and the project
went quiet. Its really in who has access to info, or rather who doesn't,
and the inclination for uses that info how.

Roger

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:B9405C6D-799F-4D2B-B2CE-73E0AF6D7C02@microsoft.com...
> Heh, don't over-analyze... I just thought it was curious that first you
> express concern (rightly) over loss of individual and collective
> liberties, nut then you stress that limiting access to knowledge is
> important. That's where the contradiction lies: it's the lack of knowledge
> (and passion) that's allowing our civilization to erode. Only when people
> become _more_ knowledgeable will we start to undo some of the damage. More
> knowledge is always better.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:A613C557-F8DC-4964-BEFD-3D63BB047B15@microsoft.com...
>> It was early in the morning so the brain was not working fully. I will
>> read
>> my post later and analyze it and thanks for the feedback, Steve. I
>> appreciate it.
>>
>> "Steve Riley [MSFT]" wrote:
>>
>>> Your statement:
>>>
>>> > It is bad enough in this day and age that it is becoming increasingly
>>> > difficult to have individual liberties and freedoms and hopefully the
>>> > States
>>> > will never become the society as seen by George Orwell's 1984 but we
>>> > unfortunately seem to be headed quickly down that path but it is not
>>> > here
>>> > yet, thankfully.
>>>
>>> Is directly contradicted by your next statement:
>>>
>>> > The importance of maintaining a very limited knowledge
>>> > structure is getting more and more essential
>>>
>>> Do you not see this?
>>>
>>>
>>> --
>>> Steve Riley
>>> steve.riley@microsoft.com
>>> http://blogs.technet.com/steriley
>>> http://www.protectyourwindowsnetwork.com
>>>
>>>
>>>
>>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>>> news:4C1425A8-925A-4F2C-8C06-BA4324B8263E@microsoft.com...
>>> > Exactly, Roger. You give people what they need to know on an as
>>> > needed
>>> > basis
>>> > and only as much power as you are comfortable with giving them. This
>>> > is
>>> > essential and if people need more information then the question should
>>> > always
>>> > be why and people seem to easily forget that their work machines are
>>> > not
>>> > for
>>> > personnel use and every activity from work is monitored.
>>> > It is bad enough in this day and age that it is becoming increasingly
>>> > difficult to have individual liberties and freedoms and hopefully the
>>> > States
>>> > will never become the society as seen by George Orwell's 1984 but we
>>> > unfortunately seem to be headed quickly down that path but it is not
>>> > here
>>> > yet, thankfully. The importance of maintaining a very limited
>>> > knowledge
>>> > structure is getting more and more essential I am learning to
>>> > effectively
>>> > work within the electronics industry and now I am most intereted in
>>> > the
>>> > Desktop and User level and not too interested in networking because it
>>> > is
>>> > too
>>> > complex for my brain to fully grasp.
>>> > The question of user trust and knowledge is essential and I have
>>> > learned
>>> > too
>>> > many lessons the hard way from being burned. <grin and bear it and at
>>> > least I
>>> > can still smile about the most unfortunate experiences I have
>>> > encountered ---
>>> > thanks to great mvp's like you, Robear and Chris Quirke and many
>>> > others ---
>>> > too numerous to name them all>
>
>
 
D

Dan

Heh, thanks and now do we just need knowledge or can I add wisdom to that
mix, Steve. <grin>

"Steve Riley [MSFT]" wrote:

> Heh, don't over-analyze... I just thought it was curious that first you
> express concern (rightly) over loss of individual and collective liberties,
> nut then you stress that limiting access to knowledge is important. That's
> where the contradiction lies: it's the lack of knowledge (and passion)
> that's allowing our civilization to erode. Only when people become _more_
> knowledgeable will we start to undo some of the damage. More knowledge is
> always better.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:A613C557-F8DC-4964-BEFD-3D63BB047B15@microsoft.com...
> > It was early in the morning so the brain was not working fully. I will
> > read
> > my post later and analyze it and thanks for the feedback, Steve. I
> > appreciate it.
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> Your statement:
> >>
> >> > It is bad enough in this day and age that it is becoming increasingly
> >> > difficult to have individual liberties and freedoms and hopefully the
> >> > States
> >> > will never become the society as seen by George Orwell's 1984 but we
> >> > unfortunately seem to be headed quickly down that path but it is not
> >> > here
> >> > yet, thankfully.
> >>
> >> Is directly contradicted by your next statement:
> >>
> >> > The importance of maintaining a very limited knowledge
> >> > structure is getting more and more essential
> >>
> >> Do you not see this?
> >>
> >>
> >> --
> >> Steve Riley
> >> steve.riley@microsoft.com
> >> http://blogs.technet.com/steriley
> >> http://www.protectyourwindowsnetwork.com
> >>
> >>
> >>
> >> "Dan" <Dan@discussions.microsoft.com> wrote in message
> >> news:4C1425A8-925A-4F2C-8C06-BA4324B8263E@microsoft.com...
> >> > Exactly, Roger. You give people what they need to know on an as needed
> >> > basis
> >> > and only as much power as you are comfortable with giving them. This
> >> > is
> >> > essential and if people need more information then the question should
> >> > always
> >> > be why and people seem to easily forget that their work machines are
> >> > not
> >> > for
> >> > personnel use and every activity from work is monitored.
> >> > It is bad enough in this day and age that it is becoming increasingly
> >> > difficult to have individual liberties and freedoms and hopefully the
> >> > States
> >> > will never become the society as seen by George Orwell's 1984 but we
> >> > unfortunately seem to be headed quickly down that path but it is not
> >> > here
> >> > yet, thankfully. The importance of maintaining a very limited
> >> > knowledge
> >> > structure is getting more and more essential I am learning to
> >> > effectively
> >> > work within the electronics industry and now I am most intereted in the
> >> > Desktop and User level and not too interested in networking because it
> >> > is
> >> > too
> >> > complex for my brain to fully grasp.
> >> > The question of user trust and knowledge is essential and I have
> >> > learned
> >> > too
> >> > many lessons the hard way from being burned. <grin and bear it and at
> >> > least I
> >> > can still smile about the most unfortunate experiences I have
> >> > encountered ---
> >> > thanks to great mvp's like you, Robear and Chris Quirke and many
> >> > others ---
> >> > too numerous to name them all>
>
>
 
You must log in or register to reply here.

Similar threads

Y
I'm unable to login with default Administrator account in windows server 2019
Replies
0
Views
20
Yaser vp
Y
D
when logging in to server domain admin account gets non admin privileges
Replies
0
Views
24
Doug Poulin (dougp)
D
S
Unable to give a non Domain Admin access to rename a Computer through delegated permissions
Replies
0
Views
30
Stokesy_889
S
A
Need to enable and disable a network adapter without local admin privileges to domain user ?
Replies
0
Views
45
Ajay mathew2
A
M
User Rights Assignment GPO has no effect after promoting Server 2022 to a domain controller
Replies
0
Views
35
Mark Davis5
M
Back
Top Bottom