Is complete access in a win 2003 domain a possibility?

I am an IT administrator of a very small company and was wondering if it was
possible to create a security group to add my username to that has access to
anything and everything. Just being a member of the administrators group
still seems to have denies for certain permissions. And if I create a
security group and set grants for everything in adsiedit it then allows for
some permissions that the administrators group is denied but then denies
other permissions. Being 1 of the 2 people that administrate this company I
figured it would be easier for us to have access to everything rather than
delegating specific permissions to each person.

NovaSecure
Wed May 09 14:14:28 CDT 2007

The "Enterprise Admin" or "Domain Admin" user group should do it.

Offcourse, you will need access an account allready having this
permission(s) in order to grant it to another account.

Graphic Jazz wrote:
> I am an IT administrator of a very small company and was wondering if it was
> possible to create a security group to add my username to that has access to
> anything and everything. Just being a member of the administrators group
> still seems to have denies for certain permissions. And if I create a
> security group and set grants for everything in adsiedit it then allows for
> some permissions that the administrators group is denied but then denies
> other permissions. Being 1 of the 2 people that administrate this company I
> figured it would be easier for us to have access to everything rather than
> delegating specific permissions to each person.

Roger
Wed May 09 14:06:44 CDT 2007

"Graphic Jazz" <GraphicJazz@discussions.microsoft.com> wrote in message
news:2037273F-0CF5-4CA6-AEC1-E8D41D3FFD5E@microsoft.com...
>I am an IT administrator of a very small company and was wondering if it
>was
> possible to create a security group to add my username to that has access
> to
> anything and everything. Just being a member of the administrators group
> still seems to have denies for certain permissions. And if I create a
> security group and set grants for everything in adsiedit it then allows
> for
> some permissions that the administrators group is denied but then denies
> other permissions. Being 1 of the 2 people that administrate this company
> I
> figured it would be easier for us to have access to everything rather than
> delegating specific permissions to each person.

If you are asking "is there some group already there, into which I may
add an account and that account will then have access to everything in
the entire domain?" the answer is no.

Can such a group be defined? Feasibly yes.

But I am curious over your post. First, note that there is a big difference
between being denied some access and just not being allowed that access.
You are saying you are encountering places where an admin account is
denied. As I know of no place in a default Windows or AD install where
Administrators group is denied anything, I am taking you to mean you find
places where the account has no access granted to it.

This makes me wonder whether you are dealing with customizations
or a (relatively) default setup. Can you give some examples of the
problems you have with access? Is the account you are using in the
Domain Admins group, or just in the Administrators group ? (the last
does not really have the privs on AD objects as Domain Admins does).

Roger

GraphicJazz
Thu May 10 00:01:02 CDT 2007

Here are some examples of where I encounter problems:

If I am a member of the Administrators group I do not have full access to
our users mailboxes but I am able to remotely access any computer's local
drives by accessing the default shares (i.e. \\computername\c$).

If I am a member of the custom security group I created where I have every
permission available in adsiedit set to allow I can access our user's
mailboxes but I am not able to remotely access the local drives of any of the
computers by using the default shares (i.e. \\computername\c$).

"Graphic Jazz" wrote:

> I am an IT administrator of a very small company and was wondering if it was
> possible to create a security group to add my username to that has access to
> anything and everything. Just being a member of the administrators group
> still seems to have denies for certain permissions. And if I create a
> security group and set grants for everything in adsiedit it then allows for
> some permissions that the administrators group is denied but then denies
> other permissions. Being 1 of the 2 people that administrate this company I
> figured it would be easier for us to have access to everything rather than
> delegating specific permissions to each person.

S
Thu May 10 04:19:21 CDT 2007

If you're a member of Domain Admins then you can grant yourself pretty much
any permission in the domain; Enterprise admins have all access to
forest-wide functions, and they are domain admins too by default.

I'm afraid access to admin shares is hardcoded to be granted to the
Administrators (I believe the GID is fixed).

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Graphic Jazz" <GraphicJazz@discussions.microsoft.com> wrote in message
news:F2D0B769-D439-4A92-B65F-E1E6357A151E@microsoft.com...
> Here are some examples of where I encounter problems:
>
> If I am a member of the Administrators group I do not have full access to
> our users mailboxes but I am able to remotely access any computer's local
> drives by accessing the default shares (i.e. \\computername\c$).
>
> If I am a member of the custom security group I created where I have every
> permission available in adsiedit set to allow I can access our user's
> mailboxes but I am not able to remotely access the local drives of any of
> the
> computers by using the default shares (i.e. \\computername\c$).
>

GraphicJazz
Thu May 10 08:13:00 CDT 2007

I made post of examples.

"Roger Abell [MVP]" wrote:

> "Graphic Jazz" <GraphicJazz@discussions.microsoft.com> wrote in message
> news:2037273F-0CF5-4CA6-AEC1-E8D41D3FFD5E@microsoft.com...
> >I am an IT administrator of a very small company and was wondering if it
> >was
> > possible to create a security group to add my username to that has access
> > to
> > anything and everything. Just being a member of the administrators group
> > still seems to have denies for certain permissions. And if I create a
> > security group and set grants for everything in adsiedit it then allows
> > for
> > some permissions that the administrators group is denied but then denies
> > other permissions. Being 1 of the 2 people that administrate this company
> > I
> > figured it would be easier for us to have access to everything rather than
> > delegating specific permissions to each person.
>
> If you are asking "is there some group already there, into which I may
> add an account and that account will then have access to everything in
> the entire domain?" the answer is no.
>
> Can such a group be defined? Feasibly yes.
>
> But I am curious over your post. First, note that there is a big difference
> between being denied some access and just not being allowed that access.
> You are saying you are encountering places where an admin account is
> denied. As I know of no place in a default Windows or AD install where
> Administrators group is denied anything, I am taking you to mean you find
> places where the account has no access granted to it.
>
> This makes me wonder whether you are dealing with customizations
> or a (relatively) default setup. Can you give some examples of the
> problems you have with access? Is the account you are using in the
> Domain Admins group, or just in the Administrators group ? (the last
> does not really have the privs on AD objects as Domain Admins does).
>
> Roger
>
>
>

GraphicJazz
Thu May 10 08:17:01 CDT 2007

Well, I am logging in as Administrator on the server so I am able to pretty
much change anything I can see.

As for the Enterprise or Domain Admins groups, it seems those accounts have
the same limitations as the Administrators group.

"NovaSecure" wrote:

> The "Enterprise Admin" or "Domain Admin" user group should do it.
>
> Offcourse, you will need access an account allready having this
> permission(s) in order to grant it to another account.
>
> Graphic Jazz wrote:
> > I am an IT administrator of a very small company and was wondering if it was
> > possible to create a security group to add my username to that has access to
> > anything and everything. Just being a member of the administrators group
> > still seems to have denies for certain permissions. And if I create a
> > security group and set grants for everything in adsiedit it then allows for
> > some permissions that the administrators group is denied but then denies
> > other permissions. Being 1 of the 2 people that administrate this company I
> > figured it would be easier for us to have access to everything rather than
> > delegating specific permissions to each person.
>

Roger
Thu May 10 16:56:30 CDT 2007

Hey Graphic Jazz, here are some factors to consider.

Administrators group does not have permissions lots of
places in AD, so unless an account is member in some
other group, like Domain Admins, that account will have
limited access in AD.

It is expected that an account may need to be member in
multiple groups, and grants to groups are somewhat laid
out in a logical fashion, for example, just because an account
is an Administrators member that does not mean that they
need to modify Exchange settings, and vice versa, one does
not expect that an Exchange admin will necessarily alway
need to be an admin of the DC servers or have Domain
Admin like capabilities across a domain context in AD.

The Administrator account might or might not be a member
in Domain Admins; it can be either way.

Setting via AdsiEdit permissions on AD objects may not
have the effect one thinks, and it can be harmful if care is
not taken. Very many places might not inherit from the top
as one might expect. People are best off not altering the
permissions on AD objects unless they carefully consider
and know what they are doing, that is, what side-effects
might result. Sometimes multiple settings need to be done
in combination; attempts to force things to inherit can wipe
out needed settings, etc. and messes can be intractible.

It sounds to me like you want an account that is in Domain
Admins (of your domain), is an Exchange admin, and if
Domain Admins is no longer in the domain's Administrators
group then an account that is also in Administrators.
You really are better off have special accounts for some
things rather than one that has everything, for example,
a special account that is in Enterprise Admins and/or Schema
Admins. Part of the reason is to limit accidents and part is to
keep the deeply essential more safe from impacts if an account
is compromised. In general, an account that has only the ability
to do the common, day to day stuff is what one should use day
in and day out.

Roger



"Graphic Jazz" <GraphicJazz@discussions.microsoft.com> wrote in message
news:2037273F-0CF5-4CA6-AEC1-E8D41D3FFD5E@microsoft.com...
>I am an IT administrator of a very small company and was wondering if it
>was
> possible to create a security group to add my username to that has access
> to
> anything and everything. Just being a member of the administrators group
> still seems to have denies for certain permissions. And if I create a
> security group and set grants for everything in adsiedit it then allows
> for
> some permissions that the administrators group is denied but then denies
> other permissions. Being 1 of the 2 people that administrate this company
> I
> figured it would be easier for us to have access to everything rather than
> delegating specific permissions to each person.