While scripting binding to my AD and OD servers, I wanted to increase security of the accounts that are used. Each of the directory servers does this a little differently.
Bind to OD
For security purposes, it's not a great idea to script binding with the administrator account. This is what is commonly done with restrictions on the disk image and scripts. This is how I have done it up to this point too. Being overly paranoid and wanting to leave a respectable legacy, I looked into binding with an account that's less than super-admin.
After testing it out, I can use a simple access account (without administrator privileges) to bind machines to OD. This solves my issues with using a privileged account. I am also changing the passwords monthly.
Bind to AD
Again, binding to AD has the same issues with using a Domain Administrators account. To solve this, I used this article to create an account that is only allowed to bind/unbind machines.
http://support.microsoft.com/kb/251335
Also, this is a nice GUI to binding on first boot:
http://forums.bombich.com/viewtopic.php?p=46346
Rusty
Thanks to Jody for the AD side!
Bind to OD
For security purposes, it's not a great idea to script binding with the administrator account. This is what is commonly done with restrictions on the disk image and scripts. This is how I have done it up to this point too. Being overly paranoid and wanting to leave a respectable legacy, I looked into binding with an account that's less than super-admin.
After testing it out, I can use a simple access account (without administrator privileges) to bind machines to OD. This solves my issues with using a privileged account. I am also changing the passwords monthly.
Bind to AD
Again, binding to AD has the same issues with using a Domain Administrators account. To solve this, I used this article to create an account that is only allowed to bind/unbind machines.
http://support.microsoft.com/kb/251335
Also, this is a nice GUI to binding on first boot:
http://forums.bombich.com/viewtopic.php?p=46346
Rusty
Thanks to Jody for the AD side!
No comments:
Post a Comment