Re: Administrator

Just a quick question, but why do you consider your Domain Admins being in
the Local Administrators group a security risk? As an FYI this is the default
behavior when the OS is installed as well. I do agree with Gary because if
you happen to do something to lock yourself out of Sharepoint having the
Domain Admins available might be the only thing that saves you.

If your concern is their ability to modify content indiscriminately, you may
want to draft a formal policy on usage to address this and get management
signoff. The other reason you want them to have this access is because don't
forget that Domain Admins also perform other administrative functions aside
from Sharepoint (OS patches, backups, software installs, etc.) where an
elevated level of administrative privileges are required.

The other example of this is the database. I'm assuming you are not the DBA
of the Sharepoint database as well. Otherwise you could make the same
argument that the DBA has too much access to the Sharepoint databases, which
in fact holds all the data. But a DBA is going to have more specific
knowledge/experience in managing databases than the application
administrator. So you wouldn't want to prevent the DBA from accessing the
Sharepoint databases, right?

"JMark" wrote:

> Thanks. In our company, domain admin group has to be added
> to the local administrator group for each server. So
> basically these guys are all admins of my SPPS - this is a
> security issue.
>
> How can we solve this?
>
>
>
> >-----Original Message-----
> >No. This is a security feature so that there is always a
> way to manage
> >security just in case someone screws up and deletes all
> admin rights on a
> >site or area.
> >
> >--
> >Gary A. Bushey
> >SPS MVP
> >bushey@xxxxxxxxxxxxxx
> >"JMark" <anonymous@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> message
> >news:0b1f01c53a08$419c0320$a501280a@xxxxxxxxxx
> >> Hi,
> >>
> >> Members of the administrators group for the local SPP
> >> server computer are allowed to perform administrative
> >> functions for SPPS.
> >>
> >> In our SPP server, 3 users from the domain admin group
> are
> >> the local administrator of this server. Is there any
> ways
> >> that I can remove their "admin" rights from the SPPS
> >> without removing them from the local administrator group
> >> of tha server?
> >>
> >> Please help.
> >
> >
> >.
> >
>
.

Relevant Pages

  • Re: Server 2008: You dont currently have permission to access this folder
    ... When an administrator logs on to a computer running Windows Vista or Windows Server 2008, the user is assigned two separate access tokens. ... check out and TEST the GPO, Computer configuration, windows settings, security settings, local policies, security options, "User account control: Behavior of the elevation prompt for administrators in Admin Approval Mode", choose "Elevate without prompting". ... However I am a member of Domain Admins. ...
    (microsoft.public.windows.server.general)
  • [NT] User Downgraded from Administrator to User Retains the Ability to List Other Users Running Task
    ... Beyond Security would like to welcome Tiscali World Online ... Windows XP presents a new option called "Fast User Switching" (FUS). ... Eitan has found that if a user is downgraded from an administrator role to ... as shown in task manager)) via tempting the local ...
    (Securiteam)
  • Re: Is complete home security possible?
    ... > If you are a gamer, some computer games will only run in administrator ... I have a clean disk image made from Norton Ghost, ... security issues to deal with to do it monthly, ... I have been using computers since 76, never had a virus on any of my ...
    (comp.security.firewalls)
  • Re: FOR A SKILLED IT EXPERT - WIN2K SERVER - DOMAIN CONTROLLER
    ... After installing a parallel copy of WIN2K SERVER, ... Administrator access in Directory Services Restore Safe Mode. ... This reset the local policy back to ... manual security reset. ...
    (microsoft.public.win2000.security)
  • "run as" local denial-of-service enables administrative account processes to be killed
    ... Windows XP Professional with SP2 ... While a user, at any security membership ... A contributing factor to the success of the attack ... Log in to the computer as a local administrator. ...
    (Bugtraq)
Loading