Giving admins Local Admin to DC's not Domain Admins

[Guest Brodieman]

Hi guys

 

I have a requirement to be able to let certain sets of administrators the

ability to login to domain controllers with out permissions over the whole

domain.

 

Althought I can give the users PowerUser or LocalLogon rights via making a

domain security group a member of the PowerUser or LocalLogon group there

does not appear to be a local admin group on DCs.

 

Can you with Server 2003 give a user just local admin to a DC without DA

rights???

[Guest S. Pidgorny]

No. You can grant permission to log on locally (group policy - user righs

assignments) and via remote desktop, and other rights and permissions, but

there's no such thing as local administrators on DCs.

 

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

 

http://sl.mvps.org http://msmvps.com/blogs/sp

 

"Brodieman" <Brodieman@discussions.microsoft.com> wrote in message

news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...<span style="color:blue">

> Hi guys

>

> I have a requirement to be able to let certain sets of administrators the

> ability to login to domain controllers with out permissions over the whole

> domain.

>

> Althought I can give the users PowerUser or LocalLogon rights via making a

> domain security group a member of the PowerUser or LocalLogon group there

> does not appear to be a local admin group on DCs.

>

> Can you with Server 2003 give a user just local admin to a DC without DA

> rights??? </span>

[Guest Roger Abell [MVP]]

"Brodieman" <Brodieman@discussions.microsoft.com> wrote in message

news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...<span style="color:blue">

> Hi guys

>

> I have a requirement to be able to let certain sets of administrators the

> ability to login to domain controllers with out permissions over the whole

> domain.

></span>

 

Why? In general it is a poor practice to have DCs logged into except

when necessary by domain admins. That's a generality of course.

Most manamgement task can be accomplished by delegated users by

use of remote admin tools.

 

That said, "a set of administrators" means what? Administrators where?

<span style="color:blue">

> Althought I can give the users PowerUser or LocalLogon rights via making a</span>

 

Do not give Power User membership. If you really trust someone you might

but the line between Power User and Domain Admin membership is thin as

it is within Power User grants to elevate themselves if they really want.

 

Local Logon and Users membership should be enough, unless you mean

log in with remote desktop in which case use the Remote Desktop Users

group instead of the logon locally user right.

<span style="color:blue">

> domain security group a member of the PowerUser or LocalLogon group there

> does not appear to be a local admin group on DCs.

></span>

 

LocalLogon group must be something custom defined on your machine(s)

so I cannot say what it does, but the logon locally user right (which might

be granted to your LocalLogon group) is possibly enough to enable console

login (assuming they are one way or another in Users). This holds for DCs

as well as non-DC servers and workstations.

<span style="color:blue">

> Can you with Server 2003 give a user just local admin to a DC without DA

> rights???</span>

 

Yes. But the distinction is just as thin as for Power Users.

One just uses the Administrators group (in your domain in AD by default in

the Built-in container). However, you really, really should aim at using

the domain group that is used to make this set of admins Administrators on

those non-DC machines to grant to them the rights needed to do their tasks

with the remote administration tools. Failing the ability to convince

people

that those tasks do not create a "requirement" to all DC local login (and/or

remote desktop login), then use that group to grant Users membership and

the log on locally user right (make sure you do that in a GPO linked to the

DC OU, not to the domain) and verify they are, one way or another, members

of Users. You probably also need to make grants to that group so that they

may do whatever the task behind the requirement is.

 

So, that would be a way to do it. But resist! Aim to just delegate to

their

(not otherwise elevated) accounts and have them use remote tools.

 

Roger

[Guest Brodieman]

Thanks you for that, i guess that might be the case.

 

"S. Pidgorny <MVP>" wrote:

<span style="color:blue">

> No. You can grant permission to log on locally (group policy - user righs

> assignments) and via remote desktop, and other rights and permissions, but

> there's no such thing as local administrators on DCs.

>

> --

> Svyatoslav Pidgorny, MS MVP - Security, MCSE

> -= F1 is the key =-

>

> http://sl.mvps.org http://msmvps.com/blogs/sp

>

> "Brodieman" <Brodieman@discussions.microsoft.com> wrote in message

> news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...<span style="color:green">

> > Hi guys

> >

> > I have a requirement to be able to let certain sets of administrators the

> > ability to login to domain controllers with out permissions over the whole

> > domain.

> >

> > Althought I can give the users PowerUser or LocalLogon rights via making a

> > domain security group a member of the PowerUser or LocalLogon group there

> > does not appear to be a local admin group on DCs.

> >

> > Can you with Server 2003 give a user just local admin to a DC without DA

> > rights??? </span>

>

>

> </span>

[Guest Shenan Stanley]

Brodieman wrote:<span style="color:blue">

> I have a requirement to be able to let certain sets of

> administrators the ability to login to domain controllers with

> out permissions over the whole domain.

>

> Althought I can give the users PowerUser or LocalLogon rights via

> making a domain security group a member of the PowerUser or

> LocalLogon group there does not appear to be a local admin group

> on DCs.

>

> Can you with Server 2003 give a user just local admin to a DC

> without DA rights???</span>

 

S. Pidgorny <MVP> wrote:<span style="color:blue">

> No. You can grant permission to log on locally (group policy -

> user righs assignments) and via remote desktop, and other rights

> and permissions, but there's no such thing as local administrators

> on DCs.</span>

 

Brodieman wrote:<span style="color:blue">

> Thanks you for that, i guess that might be the case.</span>

 

 

No need for guessing.

Domain Controllers do not have local accounts.

 

http://windowsitpro.com/article/articleid/...controller.html

 

http://techrepublic.com.com/5208-7343-0.ht...=268861&start=0

 

Good luck!

 

--

Shenan Stanley

MS-MVP

--

How To Ask Questions The Smart Way

http://www.catb.org/~esr/faqs/smart-questions.html

[Guest Dan]

Exactly, Roger. You give people what they need to know on an as needed basis

and only as much power as you are comfortable with giving them. This is

essential and if people need more information then the question should always

be why and people seem to easily forget that their work machines are not for

personnel use and every activity from work is monitored.

It is bad enough in this day and age that it is becoming increasingly

difficult to have individual liberties and freedoms and hopefully the States

will never become the society as seen by George Orwell's 1984 but we

unfortunately seem to be headed quickly down that path but it is not here

yet, thankfully. The importance of maintaining a very limited knowledge

structure is getting more and more essential I am learning to effectively

work within the electronics industry and now I am most intereted in the

Desktop and User level and not too interested in networking because it is too

complex for my brain to fully grasp.

The question of user trust and knowledge is essential and I have learned too

many lessons the hard way from being burned. <grin and bear it and at least I

can still smile about the most unfortunate experiences I have encountered ---

thanks to great mvp's like you, Robear and Chris Quirke and many others ---

too numerous to name them all>

 

"Roger Abell [MVP]" wrote:

<span style="color:blue">

> "Brodieman" <Brodieman@discussions.microsoft.com> wrote in message

> news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...<span style="color:green">

> > Hi guys

> >

> > I have a requirement to be able to let certain sets of administrators the

> > ability to login to domain controllers with out permissions over the whole

> > domain.

> ></span>

>

> Why? In general it is a poor practice to have DCs logged into except

> when necessary by domain admins. That's a generality of course.

> Most manamgement task can be accomplished by delegated users by

> use of remote admin tools.

>

> That said, "a set of administrators" means what? Administrators where?

> <span style="color:green">

> > Althought I can give the users PowerUser or LocalLogon rights via making a</span>

>

> Do not give Power User membership. If you really trust someone you might

> but the line between Power User and Domain Admin membership is thin as

> it is within Power User grants to elevate themselves if they really want.

>

> Local Logon and Users membership should be enough, unless you mean

> log in with remote desktop in which case use the Remote Desktop Users

> group instead of the logon locally user right.

> <span style="color:green">

> > domain security group a member of the PowerUser or LocalLogon group there

> > does not appear to be a local admin group on DCs.

> ></span>

>

> LocalLogon group must be something custom defined on your machine(s)

> so I cannot say what it does, but the logon locally user right (which might

> be granted to your LocalLogon group) is possibly enough to enable console

> login (assuming they are one way or another in Users). This holds for DCs

> as well as non-DC servers and workstations.

> <span style="color:green">

> > Can you with Server 2003 give a user just local admin to a DC without DA

> > rights???</span>

>

> Yes. But the distinction is just as thin as for Power Users.

> One just uses the Administrators group (in your domain in AD by default in

> the Built-in container). However, you really, really should aim at using

> the domain group that is used to make this set of admins Administrators on

> those non-DC machines to grant to them the rights needed to do their tasks

> with the remote administration tools. Failing the ability to convince

> people

> that those tasks do not create a "requirement" to all DC local login (and/or

> remote desktop login), then use that group to grant Users membership and

> the log on locally user right (make sure you do that in a GPO linked to the

> DC OU, not to the domain) and verify they are, one way or another, members

> of Users. You probably also need to make grants to that group so that they

> may do whatever the task behind the requirement is.

>

> So, that would be a way to do it. But resist! Aim to just delegate to

> their

> (not otherwise elevated) accounts and have them use remote tools.

>

> Roger

>

>

> </span>

[Guest Steve Riley [MSFT]]

Your statement:

<span style="color:blue">

> It is bad enough in this day and age that it is becoming increasingly

> difficult to have individual liberties and freedoms and hopefully the

> States

> will never become the society as seen by George Orwell's 1984 but we

> unfortunately seem to be headed quickly down that path but it is not here

> yet, thankfully.</span>

 

Is directly contradicted by your next statement:

<span style="color:blue">

> The importance of maintaining a very limited knowledge

> structure is getting more and more essential</span>

 

Do you not see this?

 

 

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

 

 

 

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:4C1425A8-925A-4F2C-8C06-BA4324B8263E@microsoft.com...<span style="color:blue">

> Exactly, Roger. You give people what they need to know on an as needed

> basis

> and only as much power as you are comfortable with giving them. This is

> essential and if people need more information then the question should

> always

> be why and people seem to easily forget that their work machines are not

> for

> personnel use and every activity from work is monitored.

> It is bad enough in this day and age that it is becoming increasingly

> difficult to have individual liberties and freedoms and hopefully the

> States

> will never become the society as seen by George Orwell's 1984 but we

> unfortunately seem to be headed quickly down that path but it is not here

> yet, thankfully. The importance of maintaining a very limited knowledge

> structure is getting more and more essential I am learning to effectively

> work within the electronics industry and now I am most intereted in the

> Desktop and User level and not too interested in networking because it is

> too

> complex for my brain to fully grasp.

> The question of user trust and knowledge is essential and I have learned

> too

> many lessons the hard way from being burned. <grin and bear it and at

> least I

> can still smile about the most unfortunate experiences I have

> encountered ---

> thanks to great mvp's like you, Robear and Chris Quirke and many

> others ---

> too numerous to name them all>

>

> "Roger Abell [MVP]" wrote:

><span style="color:green">

>> "Brodieman" <Brodieman@discussions.microsoft.com> wrote in message

>> news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...<span style="color:darkred">

>> > Hi guys

>> >

>> > I have a requirement to be able to let certain sets of administrators

>> > the

>> > ability to login to domain controllers with out permissions over the

>> > whole

>> > domain.

>> ></span>

>>

>> Why? In general it is a poor practice to have DCs logged into except

>> when necessary by domain admins. That's a generality of course.

>> Most manamgement task can be accomplished by delegated users by

>> use of remote admin tools.

>>

>> That said, "a set of administrators" means what? Administrators where?

>><span style="color:darkred">

>> > Althought I can give the users PowerUser or LocalLogon rights via

>> > making a</span>

>>

>> Do not give Power User membership. If you really trust someone you might

>> but the line between Power User and Domain Admin membership is thin as

>> it is within Power User grants to elevate themselves if they really want.

>>

>> Local Logon and Users membership should be enough, unless you mean

>> log in with remote desktop in which case use the Remote Desktop Users

>> group instead of the logon locally user right.

>><span style="color:darkred">

>> > domain security group a member of the PowerUser or LocalLogon group

>> > there

>> > does not appear to be a local admin group on DCs.

>> ></span>

>>

>> LocalLogon group must be something custom defined on your machine(s)

>> so I cannot say what it does, but the logon locally user right (which

>> might

>> be granted to your LocalLogon group) is possibly enough to enable console

>> login (assuming they are one way or another in Users). This holds for

>> DCs

>> as well as non-DC servers and workstations.

>><span style="color:darkred">

>> > Can you with Server 2003 give a user just local admin to a DC without

>> > DA

>> > rights???</span>

>>

>> Yes. But the distinction is just as thin as for Power Users.

>> One just uses the Administrators group (in your domain in AD by default

>> in

>> the Built-in container). However, you really, really should aim at using

>> the domain group that is used to make this set of admins Administrators

>> on

>> those non-DC machines to grant to them the rights needed to do their

>> tasks

>> with the remote administration tools. Failing the ability to convince

>> people

>> that those tasks do not create a "requirement" to all DC local login

>> (and/or

>> remote desktop login), then use that group to grant Users membership and

>> the log on locally user right (make sure you do that in a GPO linked to

>> the

>> DC OU, not to the domain) and verify they are, one way or another,

>> members

>> of Users. You probably also need to make grants to that group so that

>> they

>> may do whatever the task behind the requirement is.

>>

>> So, that would be a way to do it. But resist! Aim to just delegate to

>> their

>> (not otherwise elevated) accounts and have them use remote tools.

>>

>> Roger

>>

>>

>> </span></span>

[Guest Dan]

It was early in the morning so the brain was not working fully. I will read

my post later and analyze it and thanks for the feedback, Steve. I

appreciate it.

 

"Steve Riley [MSFT]" wrote:

<span style="color:blue">

> Your statement:

> <span style="color:green">

> > It is bad enough in this day and age that it is becoming increasingly

> > difficult to have individual liberties and freedoms and hopefully the

> > States

> > will never become the society as seen by George Orwell's 1984 but we

> > unfortunately seem to be headed quickly down that path but it is not here

> > yet, thankfully.</span>

>

> Is directly contradicted by your next statement:

> <span style="color:green">

> > The importance of maintaining a very limited knowledge

> > structure is getting more and more essential</span>

>

> Do you not see this?

>

>

> --

> Steve Riley

> steve.riley@microsoft.com

> http://blogs.technet.com/steriley

> http://www.protectyourwindowsnetwork.com

>

>

>

> "Dan" <Dan@discussions.microsoft.com> wrote in message

> news:4C1425A8-925A-4F2C-8C06-BA4324B8263E@microsoft.com...<span style="color:green">

> > Exactly, Roger. You give people what they need to know on an as needed

> > basis

> > and only as much power as you are comfortable with giving them. This is

> > essential and if people need more information then the question should

> > always

> > be why and people seem to easily forget that their work machines are not

> > for

> > personnel use and every activity from work is monitored.

> > It is bad enough in this day and age that it is becoming increasingly

> > difficult to have individual liberties and freedoms and hopefully the

> > States

> > will never become the society as seen by George Orwell's 1984 but we

> > unfortunately seem to be headed quickly down that path but it is not here

> > yet, thankfully. The importance of maintaining a very limited knowledge

> > structure is getting more and more essential I am learning to effectively

> > work within the electronics industry and now I am most intereted in the

> > Desktop and User level and not too interested in networking because it is

> > too

> > complex for my brain to fully grasp.

> > The question of user trust and knowledge is essential and I have learned

> > too

> > many lessons the hard way from being burned. <grin and bear it and at

> > least I

> > can still smile about the most unfortunate experiences I have

> > encountered ---

> > thanks to great mvp's like you, Robear and Chris Quirke and many

> > others ---

> > too numerous to name them all>

> >

> > "Roger Abell [MVP]" wrote:

> ><span style="color:darkred">

> >> "Brodieman" <Brodieman@discussions.microsoft.com> wrote in message

> >> news:B350DA7C-99DD-482A-9605-E16374496592@microsoft.com...

> >> > Hi guys

> >> >

> >> > I have a requirement to be able to let certain sets of administrators

> >> > the

> >> > ability to login to domain controllers with out permissions over the

> >> > whole

> >> > domain.

> >> >

> >>

> >> Why? In general it is a poor practice to have DCs logged into except

> >> when necessary by domain admins. That's a generality of course.

> >> Most manamgement task can be accomplished by delegated users by

> >> use of remote admin tools.

> >>

> >> That said, "a set of administrators" means what? Administrators where?

> >>

> >> > Althought I can give the users PowerUser or LocalLogon rights via

> >> > making a

> >>

> >> Do not give Power User membership. If you really trust someone you might

> >> but the line between Power User and Domain Admin membership is thin as

> >> it is within Power User grants to elevate themselves if they really want.

> >>

> >> Local Logon and Users membership should be enough, unless you mean

> >> log in with remote desktop in which case use the Remote Desktop Users

> >> group instead of the logon locally user right.

> >>

> >> > domain security group a member of the PowerUser or LocalLogon group

> >> > there

> >> > does not appear to be a local admin group on DCs.

> >> >

> >>

> >> LocalLogon group must be something custom defined on your machine(s)

> >> so I cannot say what it does, but the logon locally user right (which

> >> might

> >> be granted to your LocalLogon group) is possibly enough to enable console

> >> login (assuming they are one way or another in Users). This holds for

> >> DCs

> >> as well as non-DC servers and workstations.

> >>

> >> > Can you with Server 2003 give a user just local admin to a DC without

> >> > DA

> >> > rights???

> >>

> >> Yes. But the distinction is just as thin as for Power Users.

> >> One just uses the Administrators group (in your domain in AD by default

> >> in

> >> the Built-in container). However, you really, really should aim at using

> >> the domain group that is used to make this set of admins Administrators

> >> on

> >> those non-DC machines to grant to them the rights needed to do their

> >> tasks

> >> with the remote administration tools. Failing the ability to convince

> >> people

> >> that those tasks do not create a "requirement" to all DC local login

> >> (and/or

> >> remote desktop login), then use that group to grant Users membership and

> >> the log on locally user right (make sure you do that in a GPO linked to

> >> the

> >> DC OU, not to the domain) and verify they are, one way or another,

> >> members

> >> of Users. You probably also need to make grants to that group so that

> >> they

> >> may do whatever the task behind the requirement is.

> >>

> >> So, that would be a way to do it. But resist! Aim to just delegate to

> >> their

> >> (not otherwise elevated) accounts and have them use remote tools.

> >>

> >> Roger

> >>

> >>

> >> </span></span></span>

[Guest Steve Riley [MSFT]]

Heh, don't over-analyze... I just thought it was curious that first you

express concern (rightly) over loss of individual and collective liberties,

nut then you stress that limiting access to knowledge is important. That's

where the contradiction lies: it's the lack of knowledge (and passion)

that's allowing our civilization to erode. Only when people become _more_

knowledgeable will we start to undo some of the damage. More knowledge is

always better.

 

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

 

 

 

"Dan" <Dan@discussions.microsoft.com> wrote in message

news:A613C557-F8DC-4964-BEFD-3D63BB047B15@microsoft.com...<span style="color:blue">

> It was early in the morning so the brain was not working fully. I will

> read

> my post later and analyze it and thanks for the feedback, Steve. I

> appreciate it.

>

> "Steve Riley [MSFT]" wrote:

><span style="color:green">

>> Your statement:

>><span style="color:darkred">

>> > It is bad enough in this day and age that it is becoming increasingly

>> > difficult to have individual liberties and freedoms and hopefully the

>> > States

>> > will never become the society as seen by George Orwell's 1984 but we

>> > unfortunately seem to be headed quickly down that path but it is not

>> > here

>> > yet, thankfully.</span>

>>

>> Is directly contradicted by your next statement:

>><span style="color:darkred">

>> > The importance of maintaining a very limited knowledge

>> > structure is getting more and more essential</span>

>>

>> Do you not see this?

>>

>>

>> --

>> Steve Riley

>> steve.riley@microsoft.com

>> http://blogs.technet.com/steriley

>> http://www.protectyourwindowsnetwork.com

>>

>>

>>

>> "Dan" <Dan@discussions.microsoft.com> wrote in message

>> news:4C1425A8-925A-4F2C-8C06-BA4324B8263E@microsoft.com...<span style="color:darkred">

>> > Exactly, Roger. You give people what they need to know on an as needed

>> > basis

>> > and only as much power as you are comfortable with giving them. This

>> > is

>> > essential and if people need more information then the question should

>> > always

>> > be why and people seem to easily forget that their work machines are

>> > not

>> > for

>> > personnel use and every activity from work is monitored.

>> > It is bad enough in this day and age that it is becoming increasingly

>> > difficult to have individual liberties and freedoms and hopefully the

>> > States

>> > will never become the society as seen by George Orwell's 1984 but we

>> > unfortunately seem to be headed quickly down that path but it is not

>> > here

>> > yet, thankfully. The importance of maintaining a very limited

>> > knowledge

>> > structure is getting more and more essential I am learning to

>> > effectively

>> > work within the electronics industry and now I am most intereted in the

>> > Desktop and User level and not too interested in networking because it

>> > is

>> > too

>> > complex for my brain to fully grasp.

>> > The question of user trust and knowledge is essential and I have

>> > learned

>> > too

>> > many lessons the hard way from being burned. <grin and bear it and at

>> > least I

>> > can still smile about the most unfortunate experiences I have

>> > encountered ---

>> > thanks to great mvp's like you, Robear and Chris Quirke and many

>> > others ---

>> > too numerous to name them all></span></span></span>

[Guest Roger Abell [MVP]]

"Shenan Stanley" <newshelper@gmail.com> wrote in message

news:OlYPNT4$IHA.1184@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> Brodieman wrote:<span style="color:green">

>> I have a requirement to be able to let certain sets of

>> administrators the ability to login to domain controllers with

>> out permissions over the whole domain.

>>

>> Althought I can give the users PowerUser or LocalLogon rights via

>> making a domain security group a member of the PowerUser or

>> LocalLogon group there does not appear to be a local admin group

>> on DCs.

>>

>> Can you with Server 2003 give a user just local admin to a DC

>> without DA rights???</span>

>

> S. Pidgorny <MVP> wrote:<span style="color:green">

>> No. You can grant permission to log on locally (group policy -

>> user righs assignments) and via remote desktop, and other rights

>> and permissions, but there's no such thing as local administrators

>> on DCs.</span>

>

> Brodieman wrote:<span style="color:green">

>> Thanks you for that, i guess that might be the case.</span>

>

>

> No need for guessing.

> Domain Controllers do not have local accounts.

>

> http://windowsitpro.com/article/articleid/...controller.html

>

> http://techrepublic.com.com/5208-7343-0.ht...=268861&start=0

>

> Good luck!

>

> --

> Shenan Stanley

> MS-MVP

> -- </span>

 

While that is true, that there is no local SAM of account during normal

DC operations, the requirement poster stated, to allow them to be

admins on the DCs without being admins over active directory is

satisfied by the Administrators group of the domain. Accounts in

that group are pretty much just domain users that also have admin

(i.e. server admin) rights when logged into a DC. They do not have

extra permissions in AD or on joined machines.

 

Roger

[Guest Roger Abell [MVP]]

Hey Steve,

 

It seems we both choked a little when we got to that point.

Then I thought, maybe the consistent meaning is found by adding

a "by whom", limiting who knows.

I guess there is always a risk when one censors (limits knowledge).

If I recall, there was an uproar in the first Nixon administration when

a project was started to consolidate the 100+ federal data stores (113

if I recall correctly) that average American had info in, and the project

went quiet. Its really in who has access to info, or rather who doesn't,

and the inclination for uses that info how.

 

Roger

 

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message

news:B9405C6D-799F-4D2B-B2CE-73E0AF6D7C02@microsoft.com...<span style="color:blue">

> Heh, don't over-analyze... I just thought it was curious that first you

> express concern (rightly) over loss of individual and collective

> liberties, nut then you stress that limiting access to knowledge is

> important. That's where the contradiction lies: it's the lack of knowledge

> (and passion) that's allowing our civilization to erode. Only when people

> become _more_ knowledgeable will we start to undo some of the damage. More

> knowledge is always better.

>

> --

> Steve Riley

> steve.riley@microsoft.com

> http://blogs.technet.com/steriley

> http://www.protectyourwindowsnetwork.com

>

>

>

> "Dan" <Dan@discussions.microsoft.com> wrote in message

> news:A613C557-F8DC-4964-BEFD-3D63BB047B15@microsoft.com...<span style="color:green">

>> It was early in the morning so the brain was not working fully. I will

>> read

>> my post later and analyze it and thanks for the feedback, Steve. I

>> appreciate it.

>>

>> "Steve Riley [MSFT]" wrote:

>><span style="color:darkred">

>>> Your statement:

>>>

>>> > It is bad enough in this day and age that it is becoming increasingly

>>> > difficult to have individual liberties and freedoms and hopefully the

>>> > States

>>> > will never become the society as seen by George Orwell's 1984 but we

>>> > unfortunately seem to be headed quickly down that path but it is not

>>> > here

>>> > yet, thankfully.

>>>

>>> Is directly contradicted by your next statement:

>>>

>>> > The importance of maintaining a very limited knowledge

>>> > structure is getting more and more essential

>>>

>>> Do you not see this?

>>>

>>>

>>> --

>>> Steve Riley

>>> steve.riley@microsoft.com

>>> http://blogs.technet.com/steriley

>>> http://www.protectyourwindowsnetwork.com

>>>

>>>

>>>

>>> "Dan" <Dan@discussions.microsoft.com> wrote in message

>>> news:4C1425A8-925A-4F2C-8C06-BA4324B8263E@microsoft.com...

>>> > Exactly, Roger. You give people what they need to know on an as

>>> > needed

>>> > basis

>>> > and only as much power as you are comfortable with giving them. This

>>> > is

>>> > essential and if people need more information then the question should

>>> > always

>>> > be why and people seem to easily forget that their work machines are

>>> > not

>>> > for

>>> > personnel use and every activity from work is monitored.

>>> > It is bad enough in this day and age that it is becoming increasingly

>>> > difficult to have individual liberties and freedoms and hopefully the

>>> > States

>>> > will never become the society as seen by George Orwell's 1984 but we

>>> > unfortunately seem to be headed quickly down that path but it is not

>>> > here

>>> > yet, thankfully. The importance of maintaining a very limited

>>> > knowledge

>>> > structure is getting more and more essential I am learning to

>>> > effectively

>>> > work within the electronics industry and now I am most intereted in

>>> > the

>>> > Desktop and User level and not too interested in networking because it

>>> > is

>>> > too

>>> > complex for my brain to fully grasp.

>>> > The question of user trust and knowledge is essential and I have

>>> > learned

>>> > too

>>> > many lessons the hard way from being burned. <grin and bear it and at

>>> > least I

>>> > can still smile about the most unfortunate experiences I have

>>> > encountered ---

>>> > thanks to great mvp's like you, Robear and Chris Quirke and many

>>> > others ---

>>> > too numerous to name them all></span></span>

>

> </span>

[Guest Dan]

Heh, thanks and now do we just need knowledge or can I add wisdom to that

mix, Steve. <grin>

 

"Steve Riley [MSFT]" wrote:

<span style="color:blue">

> Heh, don't over-analyze... I just thought it was curious that first you

> express concern (rightly) over loss of individual and collective liberties,

> nut then you stress that limiting access to knowledge is important. That's

> where the contradiction lies: it's the lack of knowledge (and passion)

> that's allowing our civilization to erode. Only when people become _more_

> knowledgeable will we start to undo some of the damage. More knowledge is

> always better.

>

> --

> Steve Riley

> steve.riley@microsoft.com

> http://blogs.technet.com/steriley

> http://www.protectyourwindowsnetwork.com

>

>

>

> "Dan" <Dan@discussions.microsoft.com> wrote in message

> news:A613C557-F8DC-4964-BEFD-3D63BB047B15@microsoft.com...<span style="color:green">

> > It was early in the morning so the brain was not working fully. I will

> > read

> > my post later and analyze it and thanks for the feedback, Steve. I

> > appreciate it.

> >

> > "Steve Riley [MSFT]" wrote:

> ><span style="color:darkred">

> >> Your statement:

> >>

> >> > It is bad enough in this day and age that it is becoming increasingly

> >> > difficult to have individual liberties and freedoms and hopefully the

> >> > States

> >> > will never become the society as seen by George Orwell's 1984 but we

> >> > unfortunately seem to be headed quickly down that path but it is not

> >> > here

> >> > yet, thankfully.

> >>

> >> Is directly contradicted by your next statement:

> >>

> >> > The importance of maintaining a very limited knowledge

> >> > structure is getting more and more essential

> >>

> >> Do you not see this?

> >>

> >>

> >> --

> >> Steve Riley

> >> steve.riley@microsoft.com

> >> http://blogs.technet.com/steriley

> >> http://www.protectyourwindowsnetwork.com

> >>

> >>

> >>

> >> "Dan" <Dan@discussions.microsoft.com> wrote in message

> >> news:4C1425A8-925A-4F2C-8C06-BA4324B8263E@microsoft.com...

> >> > Exactly, Roger. You give people what they need to know on an as needed

> >> > basis

> >> > and only as much power as you are comfortable with giving them. This

> >> > is

> >> > essential and if people need more information then the question should

> >> > always

> >> > be why and people seem to easily forget that their work machines are

> >> > not

> >> > for

> >> > personnel use and every activity from work is monitored.

> >> > It is bad enough in this day and age that it is becoming increasingly

> >> > difficult to have individual liberties and freedoms and hopefully the

> >> > States

> >> > will never become the society as seen by George Orwell's 1984 but we

> >> > unfortunately seem to be headed quickly down that path but it is not

> >> > here

> >> > yet, thankfully. The importance of maintaining a very limited

> >> > knowledge

> >> > structure is getting more and more essential I am learning to

> >> > effectively

> >> > work within the electronics industry and now I am most intereted in the

> >> > Desktop and User level and not too interested in networking because it

> >> > is

> >> > too

> >> > complex for my brain to fully grasp.

> >> > The question of user trust and knowledge is essential and I have

> >> > learned

> >> > too

> >> > many lessons the hard way from being burned. <grin and bear it and at

> >> > least I

> >> > can still smile about the most unfortunate experiences I have

> >> > encountered ---

> >> > thanks to great mvp's like you, Robear and Chris Quirke and many

> >> > others ---

> >> > too numerous to name them all></span></span>

>

> </span>