Re: Administrator
- From: "KnightFall1" <KnightFall1@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 6 Apr 2005 14:13:05 -0700
Well as far as the SQL DBA point I brought up, part of the reason for that is
that there is no global SQL Admins domain group anyway but that wasn't done
because of Sharepoint especially since SQL Server existed before Sharepoint
did.
I mainly suggest this because I'm not sure that you want to also take on the
role of a DBA and Sharepoint Administrator. And a DBA will know more about
tuning the database and other relevant configuration information.
However I do understand your desire to restrict data access where possible.
"JMark" wrote:
> I am not saying about the "risk" - it is an issue of
> SPPS. Recently my boss asked me to set up a site for our
> IT group and I encounter this. For instance, some areas
> need to get my boss' approval before go live to everyone -
> but right now, all domain admin guys can bypass this.
>
> Sometimes drafting the policy is not enough and this is
> why we need to use the permission control. There are
> couple of levels of security groups within SPPS to control
> users' access rights - why don't we just draft a policy to
> tell users?
>
> I think this would not be an issue that "screw something
> and lock me out" since the last administrator can not be
> deleted from the site. Also there are ways to recover the
> SPPS even if I would screw it. Why does not Microsoft give
> me a choice which I can choose to include domain admins as
> my SPPS admin or not? This way I can decide it. Regarding
> your point about DBA, I guess you just prove my point -
> Microsoft does the right thing here which has not
> automatically given all DBAs of the SPPS database admin
> rights to my SPPS sites.
>
> Thanks for discussing this with me.
> >-----Original Message-----
> >Just a quick question, but why do you consider your
> Domain Admins being in
> >the Local Administrators group a security risk? As an FYI
> this is the default
> >behavior when the OS is installed as well. I do agree
> with Gary because if
> >you happen to do something to lock yourself out of
> Sharepoint having the
> >Domain Admins available might be the only thing that
> saves you.
> >
> >If your concern is their ability to modify content
> indiscriminately, you may
> >want to draft a formal policy on usage to address this
> and get management
> >signoff. The other reason you want them to have this
> access is because don't
> >forget that Domain Admins also perform other
> administrative functions aside
> >from Sharepoint (OS patches, backups, software installs,
> etc.) where an
> >elevated level of administrative privileges are required.
> >
> >The other example of this is the database. I'm assuming
> you are not the DBA
> >of the Sharepoint database as well. Otherwise you could
> make the same
> >argument that the DBA has too much access to the
> Sharepoint databases, which
> >in fact holds all the data. But a DBA is going to have
> more specific
> >knowledge/experience in managing databases than the
> application
> >administrator. So you wouldn't want to prevent the DBA
> from accessing the
> >Sharepoint databases, right?
> >
> >"JMark" wrote:
> >
> >> Thanks. In our company, domain admin group has to be
> added
> >> to the local administrator group for each server. So
> >> basically these guys are all admins of my SPPS - this
> is a
> >> security issue.
> >>
> >> How can we solve this?
> >>
> >>
> >>
> >> >-----Original Message-----
> >> >No. This is a security feature so that there is
> always a
> >> way to manage
> >> >security just in case someone screws up and deletes
> all
> >> admin rights on a
> >> >site or area.
> >> >
> >> >--
> >> >Gary A. Bushey
> >> >SPS MVP
> >> >bushey@xxxxxxxxxxxxxx
> >> >"JMark" <anonymous@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> >> message
> >> >news:0b1f01c53a08$419c0320$a501280a@xxxxxxxxxx
> >> >> Hi,
> >> >>
> >> >> Members of the administrators group for the local SPP
> >> >> server computer are allowed to perform administrative
> >> >> functions for SPPS.
> >> >>
> >> >> In our SPP server, 3 users from the domain admin
> group
> >> are
> >> >> the local administrator of this server. Is there any
> >> ways
> >> >> that I can remove their "admin" rights from the SPPS
> >> >> without removing them from the local administrator
> group
> >> >> of tha server?
> >> >>
> >> >> Please help.
> >> >
> >> >
> >> >.
> >> >
> >>
> >.
> >
>
.
- Follow-Ups:
- Re: Administrator
- From: JMark
- Re: Administrator
- References:
- Administrator
- From: JMark
- Re: Administrator
- From: Gary A. Bushey [MVP]
- Re: Administrator
- From: JMark
- Re: Administrator
- From: KnightFall1
- Re: Administrator
- From: JMark
- Administrator
- Prev by Date: RE: Problems with search
- Next by Date: Re: Change location of Bin Folder
- Previous by thread: Re: Administrator
- Next by thread: Re: Administrator
- Index(es):
Relevant Pages
|
