Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 HALP! Questions on Windows and Windows Server
 Active Directory
 Computer Account in Domain Admins Group		  New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

rmoore@afsc.org
Here To Stay

USA
260 Posts
Status: offline
Posted - 04/20/2012 :  11:23:16 AM  Show Profile  Reply with Quote
Hello All--

I posted this question in the DPM forum. But I thought I would post it here as well, since it's really an AD question.

I've been working for several days to find a solution to a problem with DPM. I finally stumbled across something at social.technet.microsoft.com that has fixed the problem. I put the computer account of our DPM server into the Domain Admins group. (Our AD is 2008 R2, raised to the highest functional level.)

It's not clear to me why this fixed the problem. More important, are there bad things that could happen as a result of putting a server's computer account into the Domain Admins group?

Thanks,
Rob

aval
Honorable But Hopeless Addict

USA
3274 Posts
Status: offline
Posted - 04/20/2012 :  1:56:15 PM  Show Profile  Reply with Quote
I suppose that if someone clever could manage to run a script using the credentials of that computer, they would have a lot of power (same rights as a domain admin). I'm not sure how or if that could be practically exploited.

Could youprovide the technet link?
Go to Top of Page

wkasdo
Administrator

Netherlands
7403 Posts
Status: offline
Posted - 04/20/2012 :  2:01:12 PM  Show Profile  Click to see wkasdo's MSN Messenger address  Reply with Quote
> It's not clear to me why this fixed the problem.

Looks like the DPM computer account needs local admin permissions on XP. Putting the account in D.A. is one way of accomplishing this.

> More important, are there bad things that could happen as a result of putting a server's computer account into the Domain Admins group

It means that anyone controlling DPM and/or the server has Domain Admins permissions, or can get them when he/she wants. Doesn't sound good to me...
Make it as simple as you can, but not simpler -- Albert Einstein
Go to Top of Page

rmoore@afsc.org
Here To Stay

USA
260 Posts
Status: offline
Posted - 04/20/2012 :  2:11:16 PM  Show Profile  Reply with Quote
Here's the link: http://social.technet.microsoft.com/Forums/en-US/dataprotectionmanager/thread/132dff35-1471-453c-bf4f-904d297d43aa/

Oddly, I've installed the DPM client on a number of computers--both Windows 7 and XP--without any trouble. Just this one has given me problems.

Rob
Go to Top of Page

Playwell
Honorable But Hopeless Addict

Netherlands
4820 Posts
Status: offline
Posted - 04/21/2012 :  07:39:30 AM  Show Profile  Visit Playwell's Homepage  Click to see Playwell's MSN Messenger address  Reply with Quote
See if adding the computer account to the XP's local admins group helps in stead. Am curious.
'People who think they know everything are a great annoyance to those of us who do. '
Quote by Isaac Asimov
Go to Top of Page

rmoore@afsc.org
Here To Stay

USA
260 Posts
Status: offline
Posted - 04/26/2012 :  10:29:25 AM  Show Profile  Reply with Quote
I finally got a chance to test out putting the DPM server computer account into the local admin group on the problematic XP workstation. It worked! Good idea you had. I should have thought of that myself. Thanks.

Rob
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2011 Mark Minasi Go To Top Of Page
This page was generated in 0.14 seconds. Snitz Forums 2000