Run as a different user with JFW
Hi, I am doing an Exchange 2013 upgrade and came across an issue with ActiveSync as I am in the Domain Admins group. I know this is very bad practise, and I wanted to deal with this for a while, so I removed myself from the group, and for the most part am using an admin account to do admin tasks. The issue is with this is that when using one of the snap ins, for example, if I do a run as a different user with JFW, the program launches, but JFW can't read the contents of the window. I can sometimes use the review cursor to get the window, but it isn't reliable. I have been logging in as the separate admin account completely in order to run tasks. Any suggestions as to a better way? Thanks. Andrew.
I reported this on this list and to FS about two years when I demanded that all admins follow this best practise and to my embarrassment couldn't do the same myself. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Andrew Hodgson Sent: 13 May 2014 15:22 To: Blind sysadmins list Subject: [Blind-sysadmins] Run as a different user with JFW Hi, I am doing an Exchange 2013 upgrade and came across an issue with ActiveSync as I am in the Domain Admins group. I know this is very bad practise, and I wanted to deal with this for a while, so I removed myself from the group, and for the most part am using an admin account to do admin tasks. The issue is with this is that when using one of the snap ins, for example, if I do a run as a different user with JFW, the program launches, but JFW can't read the contents of the window. I can sometimes use the review cursor to get the window, but it isn't reliable. I have been logging in as the separate admin account completely in order to run tasks. Any suggestions as to a better way? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hi, I did remember this actually, and is why I held off doing this for so long. However, with the new Exchange I couldn't use ActiveSync without modifying some of the template permissions, which seriously degrades the security of the administrative accounts. The recommendation from MS is not to use accounts with email privileges as domain admins. What is your strategy now on this? Andrew. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Darragh Ó Héiligh Sent: 13 May 2014 15:26 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Run as a different user with JFW I reported this on this list and to FS about two years when I demanded that all admins follow this best practise and to my embarrassment couldn't do the same myself. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Andrew Hodgson Sent: 13 May 2014 15:22 To: Blind sysadmins list Subject: [Blind-sysadmins] Run as a different user with JFW Hi, I am doing an Exchange 2013 upgrade and came across an issue with ActiveSync as I am in the Domain Admins group. I know this is very bad practise, and I wanted to deal with this for a while, so I removed myself from the group, and for the most part am using an admin account to do admin tasks. The issue is with this is that when using one of the snap ins, for example, if I do a run as a different user with JFW, the program launches, but JFW can't read the contents of the window. I can sometimes use the review cursor to get the window, but it isn't reliable. I have been logging in as the separate admin account completely in order to run tasks. Any suggestions as to a better way? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
I don't have one. I have to operate with terrible security and just try to remember to log out of that account when I don't need it. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Andrew Hodgson Sent: 13 May 2014 16:29 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Run as a different user with JFW Hi, I did remember this actually, and is why I held off doing this for so long. However, with the new Exchange I couldn't use ActiveSync without modifying some of the template permissions, which seriously degrades the security of the administrative accounts. The recommendation from MS is not to use accounts with email privileges as domain admins. What is your strategy now on this? Andrew. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Darragh Ó Héiligh Sent: 13 May 2014 15:26 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Run as a different user with JFW I reported this on this list and to FS about two years when I demanded that all admins follow this best practise and to my embarrassment couldn't do the same myself. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Andrew Hodgson Sent: 13 May 2014 15:22 To: Blind sysadmins list Subject: [Blind-sysadmins] Run as a different user with JFW Hi, I am doing an Exchange 2013 upgrade and came across an issue with ActiveSync as I am in the Domain Admins group. I know this is very bad practise, and I wanted to deal with this for a while, so I removed myself from the group, and for the most part am using an admin account to do admin tasks. The issue is with this is that when using one of the snap ins, for example, if I do a run as a different user with JFW, the program launches, but JFW can't read the contents of the window. I can sometimes use the review cursor to get the window, but it isn't reliable. I have been logging in as the separate admin account completely in order to run tasks. Any suggestions as to a better way? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
I don't have one. I have to operate with terrible security and just try to remember to log out of that account when I don't need it. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Andrew Hodgson Sent: 13 May 2014 16:29 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Run as a different user with JFW Hi, I did remember this actually, and is why I held off doing this for so long. However, with the new Exchange I couldn't use ActiveSync without modifying some of the template permissions, which seriously degrades the security of the administrative accounts. The recommendation from MS is not to use accounts with email privileges as domain admins. What is your strategy now on this? Andrew. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Darragh Ó Héiligh Sent: 13 May 2014 15:26 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Run as a different user with JFW I reported this on this list and to FS about two years when I demanded that all admins follow this best practise and to my embarrassment couldn't do the same myself. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Andrew Hodgson Sent: 13 May 2014 15:22 To: Blind sysadmins list Subject: [Blind-sysadmins] Run as a different user with JFW Hi, I am doing an Exchange 2013 upgrade and came across an issue with ActiveSync as I am in the Domain Admins group. I know this is very bad practise, and I wanted to deal with this for a while, so I removed myself from the group, and for the most part am using an admin account to do admin tasks. The issue is with this is that when using one of the snap ins, for example, if I do a run as a different user with JFW, the program launches, but JFW can't read the contents of the window. I can sometimes use the review cursor to get the window, but it isn't reliable. I have been logging in as the separate admin account completely in order to run tasks. Any suggestions as to a better way? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
Hi, I did remember this actually, and is why I held off doing this for so long. However, with the new Exchange I couldn't use ActiveSync without modifying some of the template permissions, which seriously degrades the security of the administrative accounts. The recommendation from MS is not to use accounts with email privileges as domain admins. What is your strategy now on this? Andrew. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Darragh Ó Héiligh Sent: 13 May 2014 15:26 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Run as a different user with JFW I reported this on this list and to FS about two years when I demanded that all admins follow this best practise and to my embarrassment couldn't do the same myself. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Andrew Hodgson Sent: 13 May 2014 15:22 To: Blind sysadmins list Subject: [Blind-sysadmins] Run as a different user with JFW Hi, I am doing an Exchange 2013 upgrade and came across an issue with ActiveSync as I am in the Domain Admins group. I know this is very bad practise, and I wanted to deal with this for a while, so I removed myself from the group, and for the most part am using an admin account to do admin tasks. The issue is with this is that when using one of the snap ins, for example, if I do a run as a different user with JFW, the program launches, but JFW can't read the contents of the window. I can sometimes use the review cursor to get the window, but it isn't reliable. I have been logging in as the separate admin account completely in order to run tasks. Any suggestions as to a better way? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
I reported this on this list and to FS about two years when I demanded that all admins follow this best practise and to my embarrassment couldn't do the same myself. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Andrew Hodgson Sent: 13 May 2014 15:22 To: Blind sysadmins list Subject: [Blind-sysadmins] Run as a different user with JFW Hi, I am doing an Exchange 2013 upgrade and came across an issue with ActiveSync as I am in the Domain Admins group. I know this is very bad practise, and I wanted to deal with this for a while, so I removed myself from the group, and for the most part am using an admin account to do admin tasks. The issue is with this is that when using one of the snap ins, for example, if I do a run as a different user with JFW, the program launches, but JFW can't read the contents of the window. I can sometimes use the review cursor to get the window, but it isn't reliable. I have been logging in as the separate admin account completely in order to run tasks. Any suggestions as to a better way? Thanks. Andrew. _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins
participants (2)
-
Andrew Hodgson -
Darragh Ó Héiligh