Re: Admin with no Rights to Active Directory
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 03/26/05
- Previous message: Ed: "2-way ADC and accounts created in old domain while the ADC is runn"
- In reply to: DebraH: "Re: Admin with no Rights to Active Directory"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 26 Mar 2005 00:30:58 -0500
Anyone with local logon rights to a DC is in position to escalate their
permissions through security holes. If they have the ability to modify the file
system they are even closer to having the ability to escalate. If they have
local admin on DCs, they can totally escalate to whatever they want.
If someone needs to just stop and start services, give them permissions to stop
and start the services and make them do it remotely, not via logging on locally.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net DebraH wrote: > For each remote site - we have a DC that has 2 applications running from it. > This DC manages the following: > > DHCP > DNS > WINS > App1 > App2 > > I need the help desk users to be able to logon to server locally or > remotely to start or stop anyone of these services. I do not want these help > desk users to be able to change rights or take over or acquire Domain or > Enterprise Admin rights. > > When you say a server op can take an admin, do you mean anyone in the built > in administrators group of a DC or member server admin? > > "Joe Richards [MVP]" wrote: > > >>Sure, but I wouldn't do it. A server op can take admin any time they want it. >> >>Let me repeat. Do not let anyone but domain admins log into DCs. >> >>-- >>Joe Richards Microsoft MVP Windows Server Directory Services >>www.joeware.net >> >> >>DebraH wrote: >> >>>For a help desk user, should I give them Server Operator rights? I need the >>>user to be able to start and shutdown server and run some services. I also >>>need them to manage DHCP. >>> >>>"Joe Richards [MVP]" wrote: >>> >>> >>> >>>>You can't, anyone who can make changes to services, files, etc on a DC can seize >>>>domain admin access rights and even Enterprise Admin rights. Do not let anyone >>>>but domain admins log into DCs. >>>> >>>> joe >>>> >>>>-- >>>>Joe Richards Microsoft MVP Windows Server Directory Services >>>>www.joeware.net >>>> >>>> >>>>DebraH wrote: >>>> >>>> >>>>>How do I make someone an admin but take away their rights to making changes >>>>>within Active Directory? I would like to give a support user the ability to >>>>>logon to Domain Controllers to troubleshoot DHCP, DNS and some applications >>>>>that run on the server, but I do not want them to have the ability to make >>>>>changes to Active Directory (create or delete OUs, delete admins etc). >>>>> >>>>>Thanks >>>>>dhodgkins61@comcast.net >>>>
- Previous message: Ed: "2-way ADC and accounts created in old domain while the ADC is runn"
- In reply to: DebraH: "Re: Admin with no Rights to Active Directory"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
