Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-03-2010 12:59 PM
Hi there,
I was wondering how the syntax of defining authorized administrators is:
I want to allow Mr. Garcia to be administrator on his PC in domain one but not on his pc in domain two. All I try to allow him to be administrator explicitely on this PC does not change the report.
Report says
I tried:
Nothing worked, in all cases Mr. Garcia still appears in the report as shown above.
Other lines like "Domain/Computer: bc-% Administrator account: bc" work...
How is the syntax? Is everything case sensitive? Or is it a bug?
I was wondering how the syntax of defining authorized administrators is:
I want to allow Mr. Garcia to be administrator on his PC in domain one but not on his pc in domain two. All I try to allow him to be administrator explicitely on this PC does not change the report.
Report says
Computer Domain Description Domainname Username
it-ag one one garcia
it-ag two one garcia
I tried:
Domain/Computer Administrator account
one\it-ag garcia
one/it-ag garcia
one%it-ag garcia
one\it-ag% garcia
one/it-ag% garcia
it-ag garcia
Nothing worked, in all cases Mr. Garcia still appears in the report as shown above.
Other lines like "Domain/Computer: bc-% Administrator account: bc" work...
How is the syntax? Is everything case sensitive? Or is it a bug?
Labels:
- Labels:
-
Archive
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-05-2010 10:34 AM
Is there already a feature request regarding this?
I don´t want to define simply "accounts" but "accounts on machines". So the configuration view could get extended from "domain/computer | Administrator" to "Computer´s Domain | Computername | Users Domain/Computer | Username" and the report could get extended this way.
Example:
I have defined some domain accounts to be authorized administrators on all machines (no problem so far). Now some software supplier installs some part of software which is insecure but has to run on only one machine using admin rights. I want to get alerted if anybody else uses this admin user on any other machine.
Other example see above: Mr. Garcia is allowed to be Administrator on his old PC in the old domain but the same user is not allowed to be administrator on his new machine. He has two PCs but he only has one user because there is a trust. Mr. Garcia has the ability to grant the rights himself - this is the cause I want to get alerted.
Good idea?
I don´t want to define simply "accounts" but "accounts on machines". So the configuration view could get extended from "domain/computer | Administrator" to "Computer´s Domain | Computername | Users Domain/Computer | Username" and the report could get extended this way.
Example:
I have defined some domain accounts to be authorized administrators on all machines (no problem so far). Now some software supplier installs some part of software which is insecure but has to run on only one machine using admin rights. I want to get alerted if anybody else uses this admin user on any other machine.
Other example see above: Mr. Garcia is allowed to be Administrator on his old PC in the old domain but the same user is not allowed to be administrator on his new machine. He has two PCs but he only has one user because there is a trust. Mr. Garcia has the ability to grant the rights himself - this is the cause I want to get alerted.
Good idea?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-05-2010 09:37 PM
Fossy777 wrote:
Other example see above: Mr. Garcia is allowed to be Administrator on his old PC in the old domain but the same user is not allowed to be administrator on his new machine. He has two PCs but he only has one user because there is a trust. Mr. Garcia has the ability to grant the rights himself - this is the cause I want to get alerted.
4.1 will scan eventviewer information and success events, you can use this to create reports when someone changes access permissions.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-04-2010 12:20 PM
Sad but OK.
After I created a report per domain: How can I define him to be allowed administrator on a specific machine? This also does not work I now recognized...
Tried to simply fill in his hostname "one" but he is still shown as unauthorized...
After I created a report per domain: How can I define him to be allowed administrator on a specific machine? This also does not work I now recognized...
Tried to simply fill in his hostname "one" but he is still shown as unauthorized...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-04-2010 03:25 PM
Fossy777 wrote:
Sad but OK.
After I created a report per domain: How can I define him to be allowed administrator on a specific machine? This also does not work I now recognized...
Tried to simply fill in his hostname "one" but he is still shown as unauthorized...
This does not work because the field "Domain/Computer" identifies the machine part of the user credential to be checked and not the machine on which he would be allowed to be Administrator. Am I right?
So I only can define a domain user to be allowed local administrator anyway in a specific domain but not only on a specific machine?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-04-2010 05:00 PM
This does not work because the field "Domain/Computer" identifies the machine part of the user credential to be checked and not the machine on which he would be allowed to be Administrator. Am I right?
Correct
So I only can define a domain user to be allowed local administrator anyway in a specific domain but not only on a specific machine?
You can define a domain user as:
1e column:domain, 2e column: username
You can define a local user as:
1e column:computername, 2e column: username
(computername can be a wildcard "%")
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-04-2010 12:12 PM
Then he may be administrator on all machines in domain one and the report does not show.
But he is only allowed to be administrator on only this machine in domain one!
But he is only allowed to be administrator on only this machine in domain one!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-04-2010 12:16 PM
Fossy777 wrote:
Then he may be administrator on all machines in domain one and the report does not show.
But he is only allowed to be administrator on only this machine in domain one!
That's how the report works.
If you don't want this you will need to create your own custom report per domain.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-04-2010 12:09 PM
I see the problem now:
First column is the domainname : one
Second column is the username: garcia
(make sure you remove any spaces after the username)
First column is the domainname : one
Second column is the username: garcia
(make sure you remove any spaces after the username)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-04-2010 11:56 AM
Did you rescan the computer after the change?
Do you see the new user in the users in groups page?
Do you see the new user in the users in groups page?
