replication monitoring rights

  • Thread starter Thread starter edwardb
  • Start date Start date
E

edwardb

We have recently gone through a strict security measure and removed
pretty much everyone from domain admins and started to delegate every
little task people need to do.
There are 2 things I have questions about:
1. What rights are needed to perform AD replication monitoring when not
a domain admin?
2. Using vbscript and the adsi interface, performing mass updates to
user account. I have a feeling that .setinfo cannot be done as they are
not longer domain admins, BUT, have full delegation to their users? Is
there another permission needed for this?

Thanks.
 
1. What rights are needed to perform AD replication monitoring when not a
domain admin?
Click to expand...

Are we talking about viewing the status using replmon or being able to force
replication by right-clicking connection objects and choosing replicate now?

There are atomic permissions that cover this on each partition. So you will
need to configure the appropriate permissions on the Enterprise and domain
partitions. If this is what you are after let us know.

2. Using vbscript and the adsi interface, performing mass updates to user
account. I have a feeling that .setinfo cannot be done as they are not
longer domain admins, BUT, have full delegation to their users? Is there
another permission needed for this?
Click to expand...

How have you configured permissions and what are you trying to set.
Specific examples of failures will better help us to help you. Also, ensure
that the permissions set at the OU level are inherited by all objects within
that OU. Sometimes you'll find objects that are not set to inherit. Also,
the PDCe resets protected group members back to not inherit, etc. as defined
on the adminSDHolder object every hour.


--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

We have recently gone through a strict security measure and removed
pretty much everyone from domain admins and started to delegate every
little task people need to do.
There are 2 things I have questions about:
1. What rights are needed to perform AD replication monitoring when not
a domain admin?
2. Using vbscript and the adsi interface, performing mass updates to
user account. I have a feeling that .setinfo cannot be done as they are
not longer domain admins, BUT, have full delegation to their users? Is
there another permission needed for this?

Thanks.
 
PT, Thanks.
FOr replication, it would be to check using replmon.

I myself am waiting for feedback on the exact error for the updates via
script. When I know I will post a new one, thanks.
 
1. Actually this can be done with normal user rights if you use the right
things. The Repadmin and replmon tools use an RPC interface that forces you to
use enhanced rights. If you use iadstools DLL and scripts it reads the AD
attributes directly and dumps the info so can be done with a normal user id.

2. You don't need to be a da to do a setinfo. It depends entirely on the rights.


Overall kicking everyone out of DA's is the best thing you can do. I ran a
250,000 user global forest with 2 other guys, we three were the only ones with
DA or EA access. Everyone else had some level of delegated rights. I don't
generally recommend giving people full control over user objects, it tends to
give too much permissions especially when running Exchange.

joe
 
I agree and glad they finally did it, it took an audit the threat of
millions in fines to finnally get over the crying and removed every one.
These people are not that good at scripting and want to use replmon.
 
I would tell them tough, learn to do their job. Being a member of the domain
admins group doesn't make someone an administrator. Conversely, someone who
knows how things work can do a considerable amount with only user access rights.

If they don't know how to do things with AD, they shouldn't have rights in it.

In K3, things are little more flexible to allow users to use repadmin/replmon.

joe
 
Off the top of my head, I'm not sure what's needed to just view replication.
I'd guess at read access to the domain, configuration and schema partitions.

To allow replication you set these permissions on each partition:
-- Replicating Directory Changes; and
-- Replication Synchronization


There's a delegation whitepaper which lists a lot of tasks like this in the
appendixes. A casual glance at the atomic permissions on each partition
will probably be enough to ascertain what is needed to view replication -I'm
not in front of a DC at the moment, so can't do this.

You might want to start testing with just read.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

PT, Thanks.
FOr replication, it would be to check using replmon.

I myself am waiting for feedback on the exact error for the updates via
script. When I know I will post a new one, thanks.
 
Back
Top