RE: Domain Admin access on only a few servers??

From: Phillip Renouf (PhillipRenouf_at_discussions.microsoft.com)
Date: 02/10/05

Next message: Dave B: "Export Usernames and Email Addresses"
Previous message: TKO: "How can I remove/demote DC from AD if the server no longer exists?"
In reply to: Allen Firouz: "RE: Domain Admin access on only a few servers??"
Messages sorted by: [ date ] [ thread ]

Date: Thu, 10 Feb 2005 08:05:02 -0800

Definitely agreed. I would contact the vendor and find out exactly what
rights their service account needs then I would create them an account and
delegate only those rights to it that they specify they require.

Definitely avoid giving domain admins to a service account if you can avoid
it.

Phil

"Allen Firouz" wrote:

> John:
>
> I am always leery of making anyone a Domain Admin, especially an outside
> vendor. The ramifications can be huge and rarely good. Questions to ask
> from them is: why do they need Domain Admin rights? What tasks do they need
> to perform domain-wide? How does their system interface with AD?
>
> Based on their feedback and with planning, you can create delegate specific
> control to them using the Delegate Control feature > custom and assigning
> specific rights to them. Additionally, you can create a custom MMC and
> distribut it to them that only gives them access to the servers they need and
> nothing more.
>
> I would still recommend completely against Domain Admin access for outsiders.
>
> -Allen Firouz
>
> "John Taylor" wrote:
>
> > Our company has purchased a medical software system which included 3
> > Dell servers. They say they need to have domain admin level access.
> > We have given them local admin access on those 3 servers and are not
> > too fond of giving them domain admin access as they would be able to
> > access any of our network servers.
> >
> > Is there a way to give them domain admin level access but only somehow
> > restrict them to those 3 servers?
> >
> > Thanks,
> > -John
> >
> >

Next message: Dave B: "Export Usernames and Email Addresses"
Previous message: TKO: "How can I remove/demote DC from AD if the server no longer exists?"
In reply to: Allen Firouz: "RE: Domain Admin access on only a few servers??"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

LDAP Query Based group
... I wonder which rights i have to delegate to someone in order to allow ... This guy is already Full Admin Exchange and he can create group ... Organisation is 2003 Native and I (domain admin) can create ...
(microsoft.public.exchange.admin)
Re: The following updates were not installed
... >> The user rights that are required by Update.exe ... >>> Administrator of this local machine. ... > and not the 'domain-level settings'? ... you would have to log on as a Domain Admin in order to do that (again, ...
(microsoft.public.windowsupdate)
Re: Admin Acct
... I understand your co. position on security. ... > SMS without Domain Admin rights. ... >> wants to use advanced security, local admin rights and no domain admin ...
(microsoft.public.sms.admin)
Re: Service accounts best practices
... > Thanks for the war story Joe. ... >> generic Domain Admin IDs that were known to an unknown number of people ... >> with DA rights. ... >> wouldn't be run on the domain controllers and they weren't. ...
(microsoft.public.win2000.security)
Re: Prevent some Domain Admin Account from creating USERS, Groups, OUs
... if that person is not a DA or shouldn't be, delegate. ... User Account, Security Groups, OUs and modifying those object ... These Domain Admin Account handle administrative tasks over Domain ... Roles, Promote New Domain Controller, Configure AD Replication, DNS ...
(microsoft.public.win2000.active_directory)