Re: Rights needed to install servicepack/hotfix on DC

From: dude (dude_at_aol.com)
Date: 06/09/04

• Next message: Fawke101: "Re: Replication sbs 2000 - 4.5"
• Previous message: Alex Anderson: "Re: WINS question"
• In reply to: ptwilliams: "Re: Rights needed to install servicepack/hotfix on DC"
• Next in thread: Eric Chamberlain, CISSP: "Re: Rights needed to install servicepack/hotfix on DC"
• Messages sorted by: [ date ] [ thread ]

Date: Wed, 9 Jun 2004 11:37:31 -0500

Upon reviewing some security settings in AD. You are incorrect on this one.
By default, the built-in Administrators group DO HAVE control over all OUs!
My point still stands. To give full access to DC without impacting the rest
of the AD/forest related securtiy. Is there a way to do this?

thanks

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:%23TtPPZlSEHA.3552@TK2MSFTNGP09.phx.gbl...
> I'll explain what I meant...The builtin administrators group is, I
believe,
> a domain local group; meaning this is the domain local admin group. The
> domain admins group is added to all domain members local administrator
> group -giving the domain admins group full control over all computers and
> servers in the domain. The Domain Local groups you see on DCs are a kind
of
> local group to the DC -but to all DCs. The administrators group doesn't
get
> added to the member servers and PCs administrator group therefore is only
an
> administrator on DCs.
>
> Regarding only allowing installation rights, I'm not sure of how to do
that
> without making them administrators. I suppose, if you were to make them
> power users, and then give them write access to the HKLM hive that may do
> it, but I wouldn't advise such a method.
>
>
> Paul.
> ___________________________
> "dude" <dude@aol.com> wrote in message
> news:udD6J0kSEHA.3636@TK2MSFTNGP09.phx.gbl...
> > I"m sorry if you missed my point. I do not want them to have full
access
> to
> > the domain controllers, but need them to be able to install service
packs
> or
> > hotfixes. I'd like to know if that's possible. And by "domain local
> > administrators" group, I'm not sure what you mean. This operation will
be
> > performed on a DC, not a member server, so there is no local
> administrator's
> > group. All we have by the books is the Built-in Administrators group
and
> > Domain Admins group.
> >
> > "ptwilliams" <ptw2001@hotmail.com> wrote in message
> > news:18F6EFC5-51A4-49E4-842B-17DCEF56BD95@microsoft.com...
> > > Yes. Make them members of the domain local administrators group.
> > >
> > > This gives them administrator access to the domain controllers, but
> > doesn't add them to the local administrators accounts of member servers
> and
> > PCs.
> > >
> > >
> > > Paul.
> > > ________________________________
> > >
> > > ----- dude wrote: -----
> > >
> > > I need to grant my regional admins the rights to install service
> > packs or
> > > hotfixes on Win2k DCs without granting them the Domain Admin
> rights.
> > Is
> > > this possible?
> > >
> > > thanks
> > >
> > >
> > >
> >
> >
>
>

• Next message: Fawke101: "Re: Replication sbs 2000 - 4.5"
• Previous message: Alex Anderson: "Re: WINS question"
• In reply to: ptwilliams: "Re: Rights needed to install servicepack/hotfix on DC"
• Next in thread: Eric Chamberlain, CISSP: "Re: Rights needed to install servicepack/hotfix on DC"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint