Re: branch office administrator
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/17/05
- Next message: Joe Richards [MVP]: "Re: (Win2000 )Command to Display Organizational Unit"
- Previous message: Glenn L: "Re: Target Principle Name is Incorrect"
- In reply to: Brian Higgins: "branch office administrator"
- Next in thread: Brian Higgins: "Re: branch office administrator"
- Reply: Brian Higgins: "Re: branch office administrator"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 16 Jan 2005 22:42:20 -0500
Honestly, I would yank the DC out of that site. You are in a dangerous position.
If you give this person any local admin type accesses (ability to log on
locally, ability to mess with services, ability to write to the file system,
etc) to the DC he has immense power to hurt you. If you don't give him access he
can compromise the DC because he has physical access to it. The reasons behind
it can be to show that you guys shouldn't be running the stuff. It sounds a
little cynical but I have had people contact me with similar issues previously,
that crap happens.
You can not secure against this person. Former should mean, he isn't anywhere
near the location.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Brian Higgins wrote: > I have a client that has 25 branch locations. we are in the process of > upgrading and bringing nearly all of these online and setup under one domain > (DC/GC housed at each office with separate sites defined for each physical > location with some sort of high speed connection between 384 Kb/s and 3.0 > Mb/s at each location with a VPN link back to corporate). Most of the sites > only have between 5-15 users. > > The plant manager is complaining at one location that was brought online > this last week, because the former "IT Guy" that took care of their > equipment is a friend of his and he doesn't want him to stop doing their > work. We work for the corporate office so he doesn't have much choice/say > over most of this, but he has managed to get corporate to give him > permission to give full administrative rights over the computers and server > at the location to his buddy the "IT Guy" > > As I said, the server is a DC and GC (2003 native mode) so I can't justgive > him local admin rights to the server. > > What is the best way to give him administrative control over the server, and > user accounts/computer accounts, without compromising security on the rest > of the network? (all objects in AD that pertain to the location are housed > in or under a OU, except for the Server which is obviously in the Domain > Controllers OU, I have already ran the delegate permission wizard in AD for > that OU.)?? > > Thanks in advance... > > Brian > >
- Next message: Joe Richards [MVP]: "Re: (Win2000 )Command to Display Organizational Unit"
- Previous message: Glenn L: "Re: Target Principle Name is Incorrect"
- In reply to: Brian Higgins: "branch office administrator"
- Next in thread: Brian Higgins: "Re: branch office administrator"
- Reply: Brian Higgins: "Re: branch office administrator"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
