Among many other duties and responsibilities, I am also a Domain Admin of my company's Active Directory. Despite having a normal user account, I must confess to frequently logging into my desktop with my Domain Admin account. On one such occasion, I was trying to track down a DNS issue that our Sydney office was suffering, when I realised that I needed to flush my local DNS resolver cache. Pretty straight forward? Just open a Command Prompt:
C:\>"ipconfig /flushdns"
The requested operation requires elevation
C:\>
Oh! That didn't work! What the heck is "elevation"? Other than sounding like a U2 song!
Well, having googled around and found
this thread on a Microsoft site, it appears that as an Active Directory Domain Admin I was insufficiently priviledged on my Desktop to perform that operation from a Command Prompt!
To be able to perform that sort of operation in a Command Prompt I should have started the Command Prompt with "Run as Administrator".
Some may argue that this is merely improving security, but I would not be one of them. Since then, I was started up FileZilla which informed me there was an update available and did I want to install it. I said yes. FileZilla downloaded the file successfully, and then failed. Guess what! Actually running the install program was an operation which required elevation. Grrr!
2 comments:
That's Vista's wonderful User Account Control. Check out this post from Mark Minasi at minasi.com.
User Account Control (UAC)
Notifies you that code is being run which requires administrative functionality.
Ø When an administrative user logs onto a Vista or Server 2008 machine they receive two tokens – think of it like this: they get one token for Clark Kent that is a standard user token that has no special abilities and another for Superman who of course has abilities far beyond that of a standard user. Most of the time when the user is working in email, word, excel and surfing the internet they are doing it as Clark but if they attempt to perform an action that requires Administrative capabilities a UAC dialog box appears notifying the user that something is requiring that the administrative token be used. That “something” could be a virus that is attempting to infect their machine or some badly written application. The point to UAC is to make administrators aware of when their Superman token is being used and if they didn’t initiate the action themselves they are made aware that “something” did.
Hi Marc, Thanks for providing a link to an explanation of the implementation.
On the one hand I applaud the Microsoft development team for the implementation. It is quite ingenious.
On the other hand, at my company I have two accounts, one as an "ordinary" user and a second Admin account with which to administer the Active Directory Domain.
In my original post I suspected that the intention was to increase security. Perhaps to remove the requirement for multiple accounts. But multiple accounts are a very simple mechanism to implement a separation of responsibilities, roles if you will, and add little overhead in the typical large enterprise.
In a large enterprise environment, I would still suggest that my original title applies. That is one of the reasons, one of the post's labels is "Rant".
Post a Comment