Re: Server Operator Role

From: Jeff (anonymous_at_discussions.microsoft.com)
Date: 10/06/04 

Date: Wed, 6 Oct 2004 09:51:14 -0700

So if they had access to the DC, they could still get into
AD Users and Computers and change permissions even with
restricted rights?

>-----Original Message-----
>Quite honestly, if you give them serv ops, you might as
well make them
>Enterprise Admins. A bright lad with interactive logon
access to a DC will most
>likely be able to escalate their privs right up the chain.
>
>You shouldn't give ANYONE interactive or file system
access to a DC that isn't a
>domain admin and then keep in mind that a domain admin
can get Enterprise Admin
>if they know what they are doing.
>
>The mistake is to think of DCs as any other server, they
are not, they are the
>stronghold for the security of your entire Windows
environment. Just like I
>don't know any UNIX admins who would let people write to
the file system of a
>UNIX KDC you shouldn't allow anyone to write to a Windows
KDC and that is each
>and every domain controller.
>
>Thinking you can lock someone down who has interactive
(or physical for that
>matter) access to a DC is uninformed.
>
> joe
>
>--
>Joe Richards Microsoft MVP Windows Server Directory
Services
>www.joeware.net
>
>
>
>Jeff wrote:
>> Ok.. Once again. This is an odd situation. We
basically
>> have a number of users with Domain Admin permissions.
We
>> would like a set of users with access to the servers
but
>> not active directory. The server operator role allows
>> local log on, shares, printers, permissions, etc.
>> However, it does not allow access to modify users, user
>> settings or Group Policy. The problem with Server
>> Operators is that this is limited to only DCs. We
>> basically want the users to have the equivelent of the
>> Server Op role but across the whole domain including
the
>> DCs. We cant give them admin since that allows
>> modification of the user properties. We have three
>> policies setup. One on the Domain which is VERY
basic.
>> The second is on the Domain Controllers which allows
>> various access levels. The last is on the Terminal
>> Servers. This one is EXTREMELY restictive. Because of
>> this, the group cannot run the TS Policy. Hope this
helps
>> clear up the situation.
>>
>>
>>>-----Original Message-----
>>>I completely misread that one!! I thought we were
>>
>> talking about DCs <blush>
>>
>>>--
>>>
>>>Paul Williams
>>>
>>>http://www.msresource.net
>>>http://forums.msresource.net
>>>______________________________________
>>>"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote
in
>>
>> message
>>
>>>news:eN5bo1yqEHA.3428@TK2MSFTNGP11.phx.gbl...
>>>Making someone a servop over a member server is rather
>>
>> involved. If you can
>>
>>>live
>>>with them being administrators on the member server
that
>>
>> will be
>>
>>>considerably
>>>easier and let's face it, having srv ops gives someone
>>
>> enough power to be
>>
>>>dangerous on a server anyway so making them admin isn't
>>
>> much of a step.
>>
>>>Anyway you will want to make them admin on the citrix
>>
>> servers, not on the
>>
>>>domain
>>>controllers. So set the citrix boxes in a special OU
and
>>
>> create a policy for
>>
>>>that OU that has administrators defined as a restricted
>>
>> group and add your
>>
>>>users
>>>to that policy or some domain local or domain global
>>
>> group and then add your
>>
>>>users to that group.
>>>
>>> joe
>>>
>>>--
>>>Joe Richards Microsoft MVP Windows Server Directory
>>
>> Services
>>
>>>www.joeware.net
>>>
>>>
>>>
>>>Jeff wrote:
>>>
>>>>I know that the server operator is for domain
>>
>> controllers
>>
>>>>only. However, we need to create an account that is
>>>>essentially the server operator role for all servers
>>>>including our Citrix farm. I created a test user and
>>>>added him to a new group. I then blocked that group
>>
>> from
>>
>>>>running group policies and added the group to Log On
>>>>Locally on the machine. He still cannot log in. What
>>
>> am
>>
>>>>I missing?
>>>>
>>>
>>>
>>>.
>>>
>.
>

Relevant Pages

  • Re: Administrator Profile corruption
    ... To clear up a few things: On the Friday I rebooted the server and things got ... Administrator logon to see which group policy objects are applied?’ ... concluded that the admin account was completely toasted. ... We ran the user profile Cleanup Hive Service. ...
    (microsoft.public.windows.server.sbs)
  • Domain Controller Security Policy errors
    ... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... DNS servers. ... Local setting: Admin, SERVICE ...
    (microsoft.public.win2000.group_policy)
  • Domain Controller Security Policy errors
    ... Security Policy or the Domain Controller Security Policy. ... The DC is also a print and file server. ... DNS servers. ... Local setting: Admin, SERVICE ...
    (microsoft.public.win2000.group_policy)
  • Re: Trouble with Win2003 Folder Redirection Policy
    ... giving NTFS permissions to that group. ... From what information you've given me the policy is correct as long as ... The user's home folder in the profile section of the AD has been ... updated to the new server as well. ...
    (microsoft.public.windows.server.general)
  • Re: have to add user to local admin group
    ... I don't know the exact permissions you need but you are heading the right ... > local admin group on the Exchange/DC/GC server. ... In order to fully Administer an Exchange ...
    (microsoft.public.exchange.admin)
Loading