| Author |
Message |
Paul Wicks
Guest
|
 Posted:
Tue Feb 08, 2005 4:35 pm Post subject:
RRAS Monitor |
|
|
I have a modem pool whose connections require monitoring by support staff.
Currently, I have added the support members to a group that has Administrator
rights, as this seems to be the only way to allow monitoring of RRAS. This is
an undesirable situation as I have some security concerns about one of the
support members. Is there a way to allow RRAS monitoring without granting
full administrative priveledges? |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Wed Feb 09, 2005 4:13 am Post subject:
Re: RRAS Monitor |
|
|
I hope it is not a domain controller. I don't know if you have tried giving
them membership in the servers group to see if that will work or not. If you
are forced to leave them in administrators group you can "try" to restrict
them to access only certain mmc snapins via Group Policy and configure
auditing for logons, account management, and policy change on the server to
at least track some of what they are doing on the server. If the security
log was cleared when it was not supposed to be you have a definite problem
with a user in the administrators group. -- Steve
"Paul Wicks" <Paul Wicks@discussions.microsoft.com> wrote in message
news:0FA4FDA2-1E35-48FB-8B11-023992A5A52B@microsoft.com...
| Quote: | I have a modem pool whose connections require monitoring by support staff.
Currently, I have added the support members to a group that has
Administrator
rights, as this seems to be the only way to allow monitoring of RRAS. This
is
an undesirable situation as I have some security concerns about one of the
support members. Is there a way to allow RRAS monitoring without granting
full administrative priveledges?
|
|
|
| Back to top |
|
|
Narendra Kumar
Guest
|
| Posted:
Wed Feb 09, 2005 7:12 pm Post subject:
Re: RRAS Monitor |
|
|
user
rassrvmon -s:servername
this tool you can find win windows resource kit
Narendra
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uX16RtiDFHA.3648@TK2MSFTNGP10.phx.gbl...
| Quote: | I hope it is not a domain controller. I don't know if you have tried giving
them membership in the servers group to see if that will work or not. If
you are forced to leave them in administrators group you can "try" to
restrict them to access only certain mmc snapins via Group Policy and
configure auditing for logons, account management, and policy change on the
server to at least track some of what they are doing on the server. If the
security log was cleared when it was not supposed to be you have a definite
problem with a user in the administrators group. -- Steve
"Paul Wicks" <Paul Wicks@discussions.microsoft.com> wrote in message
news:0FA4FDA2-1E35-48FB-8B11-023992A5A52B@microsoft.com...
I have a modem pool whose connections require monitoring by support staff.
Currently, I have added the support members to a group that has
Administrator
rights, as this seems to be the only way to allow monitoring of RRAS.
This is
an undesirable situation as I have some security concerns about one of
the
support members. Is there a way to allow RRAS monitoring without granting
full administrative priveledges?
|
|
|
| Back to top |
|
|
Paul Wicks
Guest
|
| Posted:
Wed Feb 09, 2005 8:33 pm Post subject:
Re: RRAS Monitor |
|
|
Thank-you for your well thought out reply Steven. Unfortunately, the server
in question is a Domain Controller. I really don't want to track the use of
administrative priveledge, but instead want to prevent it at this point. I
will concider your suggestion if I exhaust all other possibilities. Thanks
again.
"Steven L Umbach" wrote:
| Quote: | I hope it is not a domain controller. I don't know if you have tried giving
them membership in the servers group to see if that will work or not. If you
are forced to leave them in administrators group you can "try" to restrict
them to access only certain mmc snapins via Group Policy and configure
auditing for logons, account management, and policy change on the server to
at least track some of what they are doing on the server. If the security
log was cleared when it was not supposed to be you have a definite problem
with a user in the administrators group. -- Steve
"Paul Wicks" <Paul Wicks@discussions.microsoft.com> wrote in message
news:0FA4FDA2-1E35-48FB-8B11-023992A5A52B@microsoft.com...
I have a modem pool whose connections require monitoring by support staff.
Currently, I have added the support members to a group that has
Administrator
rights, as this seems to be the only way to allow monitoring of RRAS. This
is
an undesirable situation as I have some security concerns about one of the
support members. Is there a way to allow RRAS monitoring without granting
full administrative priveledges?
|
|
|
| Back to top |
|
|
Paul Wicks
Guest
|
| Posted:
Wed Feb 09, 2005 8:35 pm Post subject:
Re: RRAS Monitor |
|
|
Thank-you for you response Narendra. I have tried rassrvmon, but
unfortunately it still requires administrative priveleges. Too bad "Runs As"
can't be preset.
"Narendra Kumar" wrote:
| Quote: | user
rassrvmon -s:servername
this tool you can find win windows resource kit
Narendra
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uX16RtiDFHA.3648@TK2MSFTNGP10.phx.gbl...
I hope it is not a domain controller. I don't know if you have tried giving
them membership in the servers group to see if that will work or not. If
you are forced to leave them in administrators group you can "try" to
restrict them to access only certain mmc snapins via Group Policy and
configure auditing for logons, account management, and policy change on the
server to at least track some of what they are doing on the server. If the
security log was cleared when it was not supposed to be you have a definite
problem with a user in the administrators group. -- Steve
"Paul Wicks" <Paul Wicks@discussions.microsoft.com> wrote in message
news:0FA4FDA2-1E35-48FB-8B11-023992A5A52B@microsoft.com...
I have a modem pool whose connections require monitoring by support staff.
Currently, I have added the support members to a group that has
Administrator
rights, as this seems to be the only way to allow monitoring of RRAS.
This is
an undesirable situation as I have some security concerns about one of
the
support members. Is there a way to allow RRAS monitoring without granting
full administrative priveledges?
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Thu Feb 10, 2005 6:48 am Post subject:
Re: RRAS Monitor |
|
|
Take a look at Joe Richards CPAU. It is his replacement for runas, allows a
password to be included, and can encode the batch command for use to hide
the password. Read Joe's comments at his website to see if it will suit your
needs, particularly about the encoding strength. The link below is to Joe's
website. --- Steve
http://www.joeware.net/win/free/tools/cpau.htm
"Paul Wicks" <PaulWicks@discussions.microsoft.com> wrote in message
news:49912FB4-7090-40B8-87B8-306BB15D6216@microsoft.com...
| Quote: | Thank-you for you response Narendra. I have tried rassrvmon, but
unfortunately it still requires administrative priveleges. Too bad "Runs
As"
can't be preset.
"Narendra Kumar" wrote:
user
rassrvmon -s:servername
this tool you can find win windows resource kit
Narendra
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uX16RtiDFHA.3648@TK2MSFTNGP10.phx.gbl...
I hope it is not a domain controller. I don't know if you have tried
giving
them membership in the servers group to see if that will work or not. If
you are forced to leave them in administrators group you can "try" to
restrict them to access only certain mmc snapins via Group Policy and
configure auditing for logons, account management, and policy change on
the
server to at least track some of what they are doing on the server. If
the
security log was cleared when it was not supposed to be you have a
definite
problem with a user in the administrators group. -- Steve
"Paul Wicks" <Paul Wicks@discussions.microsoft.com> wrote in message
news:0FA4FDA2-1E35-48FB-8B11-023992A5A52B@microsoft.com...
I have a modem pool whose connections require monitoring by support
staff.
Currently, I have added the support members to a group that has
Administrator
rights, as this seems to be the only way to allow monitoring of RRAS.
This is
an undesirable situation as I have some security concerns about one of
the
support members. Is there a way to allow RRAS monitoring without
granting
full administrative priveledges?
|
|
|
| Back to top |
|
|
Paul Wicks
Guest
|
| Posted:
Tue Feb 15, 2005 6:37 pm Post subject:
Re: RRAS Monitor |
|
|
Thanks for the great tip Steve! CPAU works like a charm with the support
utility rrassrvmon.
Problem solved!
"Steven L Umbach" wrote:
| Quote: | Take a look at Joe Richards CPAU. It is his replacement for runas, allows a
password to be included, and can encode the batch command for use to hide
the password. Read Joe's comments at his website to see if it will suit your
needs, particularly about the encoding strength. The link below is to Joe's
website. --- Steve
http://www.joeware.net/win/free/tools/cpau.htm
"Paul Wicks" <PaulWicks@discussions.microsoft.com> wrote in message
news:49912FB4-7090-40B8-87B8-306BB15D6216@microsoft.com...
Thank-you for you response Narendra. I have tried rassrvmon, but
unfortunately it still requires administrative priveleges. Too bad "Runs
As"
can't be preset.
"Narendra Kumar" wrote:
user
rassrvmon -s:servername
this tool you can find win windows resource kit
Narendra
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uX16RtiDFHA.3648@TK2MSFTNGP10.phx.gbl...
I hope it is not a domain controller. I don't know if you have tried
giving
them membership in the servers group to see if that will work or not. If
you are forced to leave them in administrators group you can "try" to
restrict them to access only certain mmc snapins via Group Policy and
configure auditing for logons, account management, and policy change on
the
server to at least track some of what they are doing on the server. If
the
security log was cleared when it was not supposed to be you have a
definite
problem with a user in the administrators group. -- Steve
"Paul Wicks" <Paul Wicks@discussions.microsoft.com> wrote in message
news:0FA4FDA2-1E35-48FB-8B11-023992A5A52B@microsoft.com...
I have a modem pool whose connections require monitoring by support
staff.
Currently, I have added the support members to a group that has
Administrator
rights, as this seems to be the only way to allow monitoring of RRAS.
This is
an undesirable situation as I have some security concerns about one of
the
support members. Is there a way to allow RRAS monitoring without
granting
full administrative priveledges?
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Feb 15, 2005 9:43 pm Post subject:
Re: RRAS Monitor |
|
|
Great! Thanks for reporting back your results. Be sure to thank Joe
Richards.He lurks this newsgroup and many others. --- Steve
"Paul Wicks" <PaulWicks@discussions.microsoft.com> wrote in message
news:187D235E-F415-4F4A-B6BC-E1605D155D7F@microsoft.com...
| Quote: | Thanks for the great tip Steve! CPAU works like a charm with the support
utility rrassrvmon.
Problem solved!
"Steven L Umbach" wrote:
Take a look at Joe Richards CPAU. It is his replacement for runas, allows
a
password to be included, and can encode the batch command for use to hide
the password. Read Joe's comments at his website to see if it will suit
your
needs, particularly about the encoding strength. The link below is to
Joe's
website. --- Steve
http://www.joeware.net/win/free/tools/cpau.htm
"Paul Wicks" <PaulWicks@discussions.microsoft.com> wrote in message
news:49912FB4-7090-40B8-87B8-306BB15D6216@microsoft.com...
Thank-you for you response Narendra. I have tried rassrvmon, but
unfortunately it still requires administrative priveleges. Too bad
"Runs
As"
can't be preset.
"Narendra Kumar" wrote:
user
rassrvmon -s:servername
this tool you can find win windows resource kit
Narendra
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uX16RtiDFHA.3648@TK2MSFTNGP10.phx.gbl...
I hope it is not a domain controller. I don't know if you have tried
giving
them membership in the servers group to see if that will work or not.
If
you are forced to leave them in administrators group you can "try" to
restrict them to access only certain mmc snapins via Group Policy and
configure auditing for logons, account management, and policy change
on
the
server to at least track some of what they are doing on the server.
If
the
security log was cleared when it was not supposed to be you have a
definite
problem with a user in the administrators group. -- Steve
"Paul Wicks" <Paul Wicks@discussions.microsoft.com> wrote in message
news:0FA4FDA2-1E35-48FB-8B11-023992A5A52B@microsoft.com...
I have a modem pool whose connections require monitoring by support
staff.
Currently, I have added the support members to a group that has
Administrator
rights, as this seems to be the only way to allow monitoring of
RRAS.
This is
an undesirable situation as I have some security concerns about one
of
the
support members. Is there a way to allow RRAS monitoring without
granting
full administrative priveledges?
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in