Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Endaar

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 22
Reply with quote  #1 

Hi All,

We finally switched our domain admins to using both a standard user account for most stuff and a separate DA account for whatever needs DA permissions. I have things setup so I can run Explorer with DA credentials and access files as needed, however there does not appear to be a way to copy files from Explorer running as a DA to any app running under my standard account.

For instance, I just tried to attach a file to an e-mail; Outlook is running as my standard user account and the file was through a DA Explorer instance (since it wasn't accessible with my standard account) - there was no way to copy or drag and drop the file to the message. The same problem exists when trying to copy to a standard Explorer instance.

There's got to be some way of doing this. What am I missing?

Thanks!

James

0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 910
Reply with quote  #2 
Have a share on your workstation or a jumpbox, accessible only to your DA and standard account (one for each admin)
Drops files folders etc in there for copying/ email etc.
Have a scheduled task wrap around nightly to delete the files from the share, just to clean up after yourself.


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Endaar

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 22
Reply with quote  #3 
Thanks wobble.

That's pretty much what I've been doing - I was just hoping there was a more elegant way.

James
0
downtime

Senior Member
Registered:
Posts: 107
Reply with quote  #4 
Is it really necessary to have separate accounts nowadays? I thought Windows 7 runs in the context of a standard user account unless you need DA access then UAC kicks in?
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 910
Reply with quote  #5 
Yes it

Otherwise when did you log in to go to work and when did you log in to do Admin work?
If your accounts get jacked you may be able to track what they did.


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
jsclmedave

Administrator
Registered:
Posts: 482
Reply with quote  #6 
Were moving to Privileged Access Workstations (PAW) https://technet.microsoft.com/en-us/library/mt634654.aspx  for our Admins.
__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Endaar

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 22
Reply with quote  #7 
Quote:
Originally Posted by downtime
Is it really necessary to have separate accounts nowadays? I thought Windows 7 runs in the context of a standard user account unless you need DA access then UAC kicks in?


I've resisted doing so for a long time but the latest variant of cryptolocker-type virus is scary...it apparently searches the network for any accessible network share, NOT just mapped drives. That might even include the C$ share. The way I see it, if a domain admin gets hit, you could potentially end up with every device on the domain being encrypted.

James
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 910
Reply with quote  #8 
Yes

And then the Oracle DB gets encrypted, the trojan hides in Dropbox, restore brings back the Oracle DB and then Oracle & Sharepoint get taken out.
Took a few days to figure that one out.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.