[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Use administrative tools to manage DC

Posted on 2009-02-11
Medium Priority
Last Modified: 2012-05-06
I read an article saying "If you have users who need to perform delegated administrative functions such as creating/modifying user accounts, install the administrative tools on their desktops and require them to work from there. Logging onto domain controllers should be restricted to Domain Admins only".

So on a workgroup XP (I didn't join to domain), I installed 2003 SP 2 Administration Tools Pack for x86 editions. The workstation is in the same subnet as DC, but I didn't join it todomain. I just open AD users and computers, type in domain name. surprisingly, I was able to delete user!! why???
Question by:bubuko
  • 2
  • 2
LVL 31

Expert Comment

by:Toni Uranjek
ID: 23624285

Does password of local administrator on Windows XP match password of domain administrator? How are you logged on Windows XP?


Author Comment

ID: 23624558
the password is same. I logged on xp as local admin. But still, it's unbelievable. This let a non-domain user to do that.
LVL 31

Accepted Solution

Toni Uranjek earned 1200 total points
ID: 23624745
This is the point, you are actually not logged to domain controller as non-admin user. When your local credentials match those of domain user, you are authenticated as domain user. Change one pr the other password or user name, and you won't be able to access AD if you don't authenticate again with correct credentials.

Author Comment

ID: 23630272
I see.. thank you! But I think it's not very secure like this.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question