Re: branch office administrator
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/17/05
- Next message: Herb Martin: "Re: Realy good book"
- Previous message: Joe Richards [MVP]: "Re: Realy good book"
- In reply to: Brian Higgins: "Re: branch office administrator"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 17 Jan 2005 13:22:56 -0500
If you give any interactive access to the DC you might as well give admin to the
domain.
You can definitely give access to an OU to add/remove/modify computers/users.
That is all done through the normal delegation model tools.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net Brian Higgins wrote: > at this point that would be my preferred choice, unfortunately that is not > an option here... is there a way i can give him access to AD, from one of > the XP machines that will not severly compromise the network(I have never > had to share the administrative control of a network with someone that > didn't diserve full administrative rights before, so delegation of authority > is new to me)? also, is there any way to give him "user" access to the DC, > so that he can check and do anything in RRAS should a problem occur? > > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:Omk8PaE$EHA.2568@TK2MSFTNGP10.phx.gbl... > >>Honestly, I would yank the DC out of that site. You are in a dangerous >>position. If you give this person any local admin type accesses (ability >>to log on locally, ability to mess with services, ability to write to the >>file system, etc) to the DC he has immense power to hurt you. If you don't >>give him access he can compromise the DC because he has physical access to >>it. The reasons behind it can be to show that you guys shouldn't be >>running the stuff. It sounds a little cynical but I have had people >>contact me with similar issues previously, that crap happens. >> >>You can not secure against this person. Former should mean, he isn't >>anywhere near the location. >> >> joe >> >> >>-- >>Joe Richards Microsoft MVP Windows Server Directory Services >>www.joeware.net >> >> >>Brian Higgins wrote: >> >>>I have a client that has 25 branch locations. we are in the process of >>>upgrading and bringing nearly all of these online and setup under one >>>domain (DC/GC housed at each office with separate sites defined for each >>>physical location with some sort of high speed connection between 384 >>>Kb/s and 3.0 Mb/s at each location with a VPN link back to corporate). >>>Most of the sites only have between 5-15 users. >>> >>>The plant manager is complaining at one location that was brought online >>>this last week, because the former "IT Guy" that took care of their >>>equipment is a friend of his and he doesn't want him to stop doing their >>>work. We work for the corporate office so he doesn't have much choice/say >>>over most of this, but he has managed to get corporate to give him >>>permission to give full administrative rights over the computers and >>>server at the location to his buddy the "IT Guy" >>> >>>As I said, the server is a DC and GC (2003 native mode) so I can't >>>justgive him local admin rights to the server. >>> >>>What is the best way to give him administrative control over the server, >>>and user accounts/computer accounts, without compromising security on the >>>rest of the network? (all objects in AD that pertain to the location are >>>housed in or under a OU, except for the Server which is obviously in the >>>Domain Controllers OU, I have already ran the delegate permission wizard >>>in AD for that OU.)?? >>> >>>Thanks in advance... >>> >>>Brian > > >
- Next message: Herb Martin: "Re: Realy good book"
- Previous message: Joe Richards [MVP]: "Re: Realy good book"
- In reply to: Brian Higgins: "Re: branch office administrator"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
