Has anybody reading this played with launching AD-specific snapins from a standard domain workstation? I tried getting the ADUC snap-in (DSA.MSC) to work from a workstation, but it simply returns an error, "MMC could not create the snap-in". My method was to navigate to %windir%\system32 on the Domain Controller and copy *.msc to a shared folder. The folder shared is restricted at the NTFS level for security reasons. From there, jump back to the workstation (Windows XP SP2) and run the snap-in from its home on the network share.
I'm not really upset that it doesn't work because I wasn't expecting any positive results in the first place. The surprise though, and the reason I'm sharing this, came when I was able to launch the Group Policy Manager (GPMC.MSC) from the same workstation, and the same standard-user credentials. In the console I was able to observe the structure of the domain down to the root, including all OUs, and where I had read permission I saw the settings for any of the linked GPOs I selected. Where I didn't have read permission, I still saw placemarkers where a GPO was linked.
Very interesting, if you ask me, and potentially very useful both from a management standpoint and more succinctly from a snooping/nosing around standpoint.
Anyways, if I could get read access to the group policy structure, it would lend that read access on user/computer objects would be there too, but even with domain admin credentials it doesn't work at the station. Maybe a member server would do the trick? Too bad I don't have member servers laying around..
Recent Comments