授權範圍服務系統管理員Service Administrator Scope of Authority

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

如果您選擇參與 Active Directory 森林中,您必須信任的樹系擁有者和服務的系統管理員。If you choose to participate in an Active Directory forest, you must trust the forest owner and the service administrators. 森林擁有者負責選取及管理服務的系統管理員。因此,當您信任的樹系擁有者,您也標示為信任的樹系擁有者管理服務系統管理員。The forest owners are responsible for selecting and managing the service administrators; therefore, when you trust a forest owner, you also trust the service administrators that the forest owner manages. 這些服務的系統管理員可以存取所有的資源,森林中。These service administrators have access to all of the resources in the forest. 判斷来參與樹系之前,請務必以了解和服務的系統管理員會擁有完整存取您的資料。Before making the decision to participate in a forest, it is important to understand that the forest owner and the service administrators will have full access to your data. 您無法避免此存取。You cannot prevent this access.

森林中的所有服務系統管理員都可以完全控制所有的資料與服務的所有電腦上森林中。All service administrators in a forest have full control over all data and services on all computers in the forest. 服務管理員有這項功能可以執行下列動作:Service administrators have the capability to do the following:

  • 修正錯誤存取控制物件清單 (Acl)。Correct errors on access control lists (ACLs) of objects. 這可讓服務系統管理員以讀取、 修改或 delete 物件無論 Acl 物件這些設定。This enables the service administrator to read, modify, or delete objects regardless of the ACLs that are set on those objects.

  • 修改系統略過一般的安全性檢查網域控制站軟體。Modify the system software on a domain controller to bypass normal security checks. 這可讓檢視或管理無論物件 ACL 網域中的任何物件服務系統管理員。This enables the service administrator to view or manipulate any object in the domain, regardless of the ACL on the object.

  • 使用限制群組安全性原則授與任何使用者或群組管理存取所有加入網域的電腦。Use the Restricted Groups security policy to grant to any user or group administrative access to any computer joined to the domain. 如此一來,服務系統管理員可以取得的任何電腦加入網域的電腦擁有者無論的控制項。In this way, service administrators can obtain control of any computer joined to the domain regardless of the intentions of the computer owner.

  • 重設密碼,或變更的使用者群組成員資格。Reset passwords or change group memberships for users.

  • 存取其他網域中的樹系修改網域控制站系統軟體。Gain access to other domains in the forest by modifying the system software on a domain controller. 服務系統管理員可以影響的任何網域中的樹系檢視或管理森林設定資料、 檢視或任何網域中的資料與檢視或樹系的任何電腦上的資料。Service administrators can affect the operation of any domain in the forest, view or manipulate forest configuration data, view or manipulate data stored in any domain, and view or manipulate data stored on any computer joined to the forest.

基於這個原因,會儲存組織單位 (Ou) 森林中的資料,以及必須信任服務系統管理員的樹系加入電腦的群組。For this reason, groups that store data in organizational units (OUs) in the forest and that join computers to a forest must trust the service administrators. 加入樹系群組,必須選擇它信任的樹系中的所有服務系統管理員。For a group to join a forest, it must choose to trust all service administrators in the forest. 這牽涉到確保:This involves ensuring that:

  • 樹系擁有者可信任的群組做並不具有惡意做針對群組的原因。The forest owner can be trusted to act in the interests of the group and does not have reason to act maliciously against the group.

  • 樹系擁有者適當會限制網域控制站實體存取。The forest owner appropriately restricts physical access to domain controllers. 森林中的網域控制站無法隔離的另一個。Domain controllers within a forest cannot be isolated from one another. 攻擊者存取實體單一網域控制站 directory 資料庫,如此一來進行所做的變更、 干擾的任何網域中的樹系檢視或管理資料儲存在任何地方的樹系,並檢視或樹系的任何電腦上的資料的可能是。It is possible for an attacker who has physical access to a single domain controller to make offline changes to the directory database and, by doing so, interfere with the operation of any domain in the forest, view or manipulate data stored anywhere in the forest, and view or manipulate data stored on any computer joined to the forest. 基於這個原因,存取實體網域控制站必須限制受信任的人員。For this reason, physical access to domain controllers must be restricted to trusted personnel.

  • 了解,並接受信任服務的系統管理員可以變為危害系統的安全性可能有風險。You understand and accept the potential risk that trusted service administrators can be coerced into compromising the security of the system.

某些群組可能會判斷您的參與共用的基礎結構共同作業以及成本省電優點超過服務系統管理員會濫用或變為濫用授權的風險。Some groups might determine that the collaborative and cost-saving benefits of participating in a shared infrastructure outweigh the risks that service administrators will misuse or will be coerced into misusing their authority. 這些群組可以分享的樹系並使用 Ou 委派權限。These groups can share a forest and use OUs to delegate authority. 不過,因為安全性危害的結果是嚴重其他群組可能無法接受此風險。However, other groups might not accept this risk because the consequences of a compromise in security are too severe. 這些群組需要不同的樹系。These groups require separate forests.