You can designate an OU for these user accounts and delegate control of
the OU to whomever you like. Anyone can add and edit user accounts they
just need to be given the appropriate permissions.

-----Original Message-----
From: Derek T [mailto:sigmafivehotmail.com]
Sent: Thursday, November 08, 2001 12:11 PM
To: focus-mslists.securityfocus.com
Subject: Creating/editing user accounts

A quick question about AD and web enabled services.

The company I work for is trying to offer the ability to open and
manipulate
accounts from the Web ( kind of like Yahoo or Hotmail). The problem lies
in
the choice to use AD on the segmented network. With AD the only ID with
the
rights to create and edit user accounts are sys-admins, something that
you
can not allow anonymous web browsers to assume. Also this will be a
branch
off the main corporate network, ( in it's own DMZ) to allow customer
service
reps to access and work with the same data from the main tree. Any ideas
on
how can this be accomplished and kept secure, or is it a pipe dream?

Also in the event that a process is given the Sys-admin rights instead
of a
user, what potential security implications does this pose? It seems as
if
almost every discussion of a new vulnerability starts with " You see,
there
was this process running with administrator rights...." =)

Thanks for the insights

D True

"If debugging is the process of removing software bugs, then programming

must be the process of putting them in."- L. Owando

_________________________________________________________________
Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]