Re: Server Operator Role

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 10/06/04

Next message: Register: "Is it possible to register a dll ..."
Previous message: Tom: "What is E-mail field used for under General Tab of user properties"
In reply to: Jeff: "Re: Server Operator Role"
Next in thread: Jeff: "Re: Server Operator Role"
Reply: Jeff: "Re: Server Operator Role"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 06 Oct 2004 10:11:59 -0400

Quite honestly, if you give them serv ops, you might as well make them
Enterprise Admins. A bright lad with interactive logon access to a DC will most
likely be able to escalate their privs right up the chain.

You shouldn't give ANYONE interactive or file system access to a DC that isn't a
domain admin and then keep in mind that a domain admin can get Enterprise Admin
if they know what they are doing.

The mistake is to think of DCs as any other server, they are not, they are the
stronghold for the security of your entire Windows environment. Just like I
don't know any UNIX admins who would let people write to the file system of a
UNIX KDC you shouldn't allow anyone to write to a Windows KDC and that is each
and every domain controller.

Thinking you can lock someone down who has interactive (or physical for that
matter) access to a DC is uninformed.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Jeff wrote:
> Ok..  Once again.  This is an odd situation.  We basically 
> have a number of users with Domain Admin permissions.  We 
> would like a set of users with access to the servers but 
> not active directory.  The server operator role allows 
> local log on, shares, printers, permissions, etc.  
> However, it does not allow access to modify users, user 
> settings or Group Policy.  The problem with Server 
> Operators is that this is limited to only DCs.  We 
> basically want the users to have the equivelent of the 
> Server Op role but across the whole domain including the 
> DCs.  We cant give them admin since that allows 
> modification of the user properties.  We have three 
> policies setup.  One on the Domain which is VERY basic.  
> The second is on the Domain Controllers which allows 
> various access levels.  The last is on the Terminal 
> Servers.  This one is EXTREMELY restictive.  Because of 
> this, the group cannot run the TS Policy.  Hope this helps 
> clear up the situation.
> 
> 
>>-----Original Message-----
>>I completely misread that one!!  I thought we were 
> 
> talking about DCs <blush>
> 
>>-- 
>>
>>Paul Williams
>>
>>http://www.msresource.net
>>http://forums.msresource.net
>>______________________________________
>>"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in 
> 
> message 
> 
>>news:eN5bo1yqEHA.3428@TK2MSFTNGP11.phx.gbl...
>>Making someone a servop over a member server is rather 
> 
> involved. If you can 
> 
>>live
>>with them being administrators on the member server that 
> 
> will be 
> 
>>considerably
>>easier and let's face it, having srv ops gives someone 
> 
> enough power to be
> 
>>dangerous on a server anyway so making them admin isn't 
> 
> much of a step.
> 
>>Anyway you will want to make them admin on the citrix 
> 
> servers, not on the 
> 
>>domain
>>controllers. So set the citrix boxes in a special OU and 
> 
> create a policy for
> 
>>that OU that has administrators defined as a restricted 
> 
> group and add your 
> 
>>users
>>to that policy or some domain local or domain global 
> 
> group and then add your
> 
>>users to that group.
>>
>>   joe
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory 
> 
> Services
> 
>>www.joeware.net
>>
>>
>>
>>Jeff wrote:
>>
>>>I know that the server operator is for domain 
> 
> controllers
> 
>>>only.  However, we need to create an account that is
>>>essentially the server operator role for all servers
>>>including our Citrix farm.  I created a test user and
>>>added him to a new group.  I then blocked that group 
> 
> from
> 
>>>running group policies and added the group to Log On
>>>Locally on the machine.  He still cannot log in.  What 
> 
> am
> 
>>>I missing?
>>>
>>
>>
>>.
>>

Next message: Register: "Is it possible to register a dll ..."
Previous message: Tom: "What is E-mail field used for under General Tab of user properties"
In reply to: Jeff: "Re: Server Operator Role"
Next in thread: Jeff: "Re: Server Operator Role"
Reply: Jeff: "Re: Server Operator Role"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Administrator Profile corruption
... To clear up a few things: On the Friday I rebooted the server and things got ... Administrator logon to see which group policy objects are applied?’ ... concluded that the admin account was completely toasted. ... We ran the user profile Cleanup Hive Service. ...
(microsoft.public.windows.server.sbs)
Domain Controller Security Policy errors
... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... DNS servers. ... Local setting: Admin, SERVICE ...
(microsoft.public.win2000.group_policy)
Domain Controller Security Policy errors
... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... DNS servers. ... Local setting: Admin, SERVICE ...
(microsoft.public.win2000.group_policy)
Re: Secure host newbie - fun - humm
... decision, as the admin, whether or not to take down the server. ... Listen, as a security specialist, I *know* that every single box that I, ... some level of risk and that there is no "100% I'm secure" level. ...
(Security-Basics)
Re: Server Operator Role
... >domain admin and then keep in mind that a domain admin ... >Joe Richards Microsoft MVP Windows Server Directory ... >> have a number of users with Domain Admin permissions. ... the group cannot run the TS Policy. ...
(microsoft.public.win2000.active_directory)