Re: branch office administrator
From: Brian Higgins (brian_at_-NO-accentconsulting-SPAM-.com)
Date: 01/17/05
- Next message: Simon Geary: "Re: How to prevent users from logging on the local machine?"
- Previous message: Mike_68: "dcpromo /forceremoval does not work"
- In reply to: Joe Richards [MVP]: "Re: branch office administrator"
- Next in thread: Joe Richards [MVP]: "Re: branch office administrator"
- Reply: Joe Richards [MVP]: "Re: branch office administrator"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 17 Jan 2005 10:42:54 -0500
at this point that would be my preferred choice, unfortunately that is not
an option here... is there a way i can give him access to AD, from one of
the XP machines that will not severly compromise the network(I have never
had to share the administrative control of a network with someone that
didn't diserve full administrative rights before, so delegation of authority
is new to me)? also, is there any way to give him "user" access to the DC,
so that he can check and do anything in RRAS should a problem occur?
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:Omk8PaE$EHA.2568@TK2MSFTNGP10.phx.gbl...
> Honestly, I would yank the DC out of that site. You are in a dangerous
> position. If you give this person any local admin type accesses (ability
> to log on locally, ability to mess with services, ability to write to the
> file system, etc) to the DC he has immense power to hurt you. If you don't
> give him access he can compromise the DC because he has physical access to
> it. The reasons behind it can be to show that you guys shouldn't be
> running the stuff. It sounds a little cynical but I have had people
> contact me with similar issues previously, that crap happens.
>
> You can not secure against this person. Former should mean, he isn't
> anywhere near the location.
>
> joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Brian Higgins wrote:
>> I have a client that has 25 branch locations. we are in the process of
>> upgrading and bringing nearly all of these online and setup under one
>> domain (DC/GC housed at each office with separate sites defined for each
>> physical location with some sort of high speed connection between 384
>> Kb/s and 3.0 Mb/s at each location with a VPN link back to corporate).
>> Most of the sites only have between 5-15 users.
>>
>> The plant manager is complaining at one location that was brought online
>> this last week, because the former "IT Guy" that took care of their
>> equipment is a friend of his and he doesn't want him to stop doing their
>> work. We work for the corporate office so he doesn't have much choice/say
>> over most of this, but he has managed to get corporate to give him
>> permission to give full administrative rights over the computers and
>> server at the location to his buddy the "IT Guy"
>>
>> As I said, the server is a DC and GC (2003 native mode) so I can't
>> justgive him local admin rights to the server.
>>
>> What is the best way to give him administrative control over the server,
>> and user accounts/computer accounts, without compromising security on the
>> rest of the network? (all objects in AD that pertain to the location are
>> housed in or under a OU, except for the Server which is obviously in the
>> Domain Controllers OU, I have already ran the delegate permission wizard
>> in AD for that OU.)??
>>
>> Thanks in advance...
>>
>> Brian
- Next message: Simon Geary: "Re: How to prevent users from logging on the local machine?"
- Previous message: Mike_68: "dcpromo /forceremoval does not work"
- In reply to: Joe Richards [MVP]: "Re: branch office administrator"
- Next in thread: Joe Richards [MVP]: "Re: branch office administrator"
- Reply: Joe Richards [MVP]: "Re: branch office administrator"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
