Re: Server Operator Role
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 10/07/04
- Next message: Denis Wong _at_ Hong Kong: "RE: Printer ?"
- Previous message: Joe Richards [MVP]: "Re: Identify alls Objects in ADS which a specific group has specific permissions"
- In reply to: Jeff: "Re: Server Operator Role"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 07 Oct 2004 00:08:54 -0400
What I am saying is you can't sufficiently lock someone down that can logon
interactively. And from there, the forest is the security boundary, not the
domain, not the DC.
The security around domain controllers is based on users getting only network
based access to authentication/ldap/policies services. Generally read-only
except for some fairly non-consequential resources. As you bring someone into
the fold and give them access to manipulate the file system or get interactive
logon access or manipulate services the exposure increases tremendously.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Jeff wrote: > So if they had access to the DC, they could still get into > AD Users and Computers and change permissions even with > restricted rights? > > >>-----Original Message----- >>Quite honestly, if you give them serv ops, you might as > > well make them > >>Enterprise Admins. A bright lad with interactive logon > > access to a DC will most > >>likely be able to escalate their privs right up the chain. >> >>You shouldn't give ANYONE interactive or file system > > access to a DC that isn't a > >>domain admin and then keep in mind that a domain admin > > can get Enterprise Admin > >>if they know what they are doing. >> >>The mistake is to think of DCs as any other server, they > > are not, they are the > >>stronghold for the security of your entire Windows > > environment. Just like I > >>don't know any UNIX admins who would let people write to > > the file system of a > >>UNIX KDC you shouldn't allow anyone to write to a Windows > > KDC and that is each > >>and every domain controller. >> >>Thinking you can lock someone down who has interactive > > (or physical for that > >>matter) access to a DC is uninformed. >> >> joe >> >>-- >>Joe Richards Microsoft MVP Windows Server Directory > > Services > >>www.joeware.net >> >> >> >>Jeff wrote: >> >>>Ok.. Once again. This is an odd situation. We > > basically > >>>have a number of users with Domain Admin permissions. > > We > >>>would like a set of users with access to the servers > > but > >>>not active directory. The server operator role allows >>>local log on, shares, printers, permissions, etc. >>>However, it does not allow access to modify users, user >>>settings or Group Policy. The problem with Server >>>Operators is that this is limited to only DCs. We >>>basically want the users to have the equivelent of the >>>Server Op role but across the whole domain including > > the > >>>DCs. We cant give them admin since that allows >>>modification of the user properties. We have three >>>policies setup. One on the Domain which is VERY > > basic. > >>>The second is on the Domain Controllers which allows >>>various access levels. The last is on the Terminal >>>Servers. This one is EXTREMELY restictive. Because of >>>this, the group cannot run the TS Policy. Hope this > > helps > >>>clear up the situation. >>> >>> >>> >>>>-----Original Message----- >>>>I completely misread that one!! I thought we were >>> >>>talking about DCs <blush> >>> >>>>-- >>>> >>>>Paul Williams >>>> >>>>http://www.msresource.net >>>>http://forums.msresource.net >>>>______________________________________ >>>>"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote > > in > >>>message >>> >>> >>>>news:eN5bo1yqEHA.3428@TK2MSFTNGP11.phx.gbl... >>>>Making someone a servop over a member server is rather >>> >>>involved. If you can >>> >>> >>>>live >>>>with them being administrators on the member server > > that > >>>will be >>> >>> >>>>considerably >>>>easier and let's face it, having srv ops gives someone >>> >>>enough power to be >>> >>> >>>>dangerous on a server anyway so making them admin isn't >>> >>>much of a step. >>> >>> >>>>Anyway you will want to make them admin on the citrix >>> >>>servers, not on the >>> >>> >>>>domain >>>>controllers. So set the citrix boxes in a special OU > > and > >>>create a policy for >>> >>> >>>>that OU that has administrators defined as a restricted >>> >>>group and add your >>> >>> >>>>users >>>>to that policy or some domain local or domain global >>> >>>group and then add your >>> >>> >>>>users to that group. >>>> >>>> joe >>>> >>>>-- >>>>Joe Richards Microsoft MVP Windows Server Directory >>> >>>Services >>> >>> >>>>www.joeware.net >>>> >>>> >>>> >>>>Jeff wrote: >>>> >>>> >>>>>I know that the server operator is for domain >>> >>>controllers >>> >>> >>>>>only. However, we need to create an account that is >>>>>essentially the server operator role for all servers >>>>>including our Citrix farm. I created a test user and >>>>>added him to a new group. I then blocked that group >>> >>>from >>> >>> >>>>>running group policies and added the group to Log On >>>>>Locally on the machine. He still cannot log in. What >>> >>>am >>> >>> >>>>>I missing? >>>>> >>>> >>>> >>>>. >>>> >> >>. >>
- Next message: Denis Wong _at_ Hong Kong: "RE: Printer ?"
- Previous message: Joe Richards [MVP]: "Re: Identify alls Objects in ADS which a specific group has specific permissions"
- In reply to: Jeff: "Re: Server Operator Role"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
