Re: Server access and control

From: ptwilliams (ptw2001_at_hotmail.com)
Date: 02/10/05 

Date: Thu, 10 Feb 2005 20:07:54 -0000

> A local admin on a DC is basically a god in the forest.

Great analogy!!! ;-) 

-- 
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message 
news:uc3z7j6DFHA.328@tk2msftngp13.phx.gbl...
A local admin on a DC is basically a god in the forest. He can debug lsass
and he can also reboot into DSRM and physically edit the DIT. Both require
skill, but nevertheless...
-- 
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:eaR3HCwDFHA.2756@TK2MSFTNGP15.phx.gbl...
> Yes and no.  You can grant them rights to the DC and not make them
> administrators for the whole domain in the sense that they cannot
administer
> all domain members, i.e. domain admin like rights and permissions; but
> giving control to one DC gives it to all, and in another sense the DC is
the
> domain and therefore you are granting administrative privileges to the
> entire domain -but in this statement I'm talking about the domain as in
> dc=domain-name,dc=com and possibly cn=configuration,dc=domain-name,dc=com
> and cn=schema,cn=configuration,dc=domain-name,dc=com *not* all domain
> members.
>
> That's the main difference between administrators and domain admins.
>
> What rights are we talking about?
>
> Logon rights can be applied through default domain controllers policy.
>
> -- 
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Steve" <Steve@discussions.microsoft.com> wrote in message
> news:E6B594BE-9764-4344-BCB0-5E051ADFC237@microsoft.com...
> I have a couple of users I want to have administrator rights to certian
> servers. One of these servers is a DC server. Can I give them rights to
log
> on and perform task on that server withoutg giving them admin rights to
the
> wholw domain.
>
>

Relevant Pages

  • Re: New Organizational Unit for a new remote office.
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... EVERY DOMAIN ADMIN IN THE FOREST ...
    (microsoft.public.win2000.active_directory)
  • Re: New to SMS - have a Collections question.
    ... I loaded the SMS Admin Console on the ... comprimise the security of the servers. ... SMS security is a bit different from normal Windows security. ... Access to objects is based on Security Rights (if you scroll down the list ...
    (microsoft.public.sms.admin)
  • Re: New Organizational Unit for a new remote office.
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... EVERY DOMAIN ADMIN IN THE FOREST ...
    (microsoft.public.win2000.active_directory)
  • Broken Admini Rights
    ... It might be an "Ownershiop" problem, rather than an Admin ... HOW TO Take Ownership of a File or Folder in Windows XP: ... to "Administrators group" instead of "Object Creator". ... >Apparently my Admin rights are bent or broken. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Giving admins Local Admin to DCs not Domain Admins
    ... out permissions over the whole domain. ... Althought I can give the users PowerUser or LocalLogon rights via ... Can you with Server 2003 give a user just local admin to a DC ... but there's no such thing as local administrators ...
    (microsoft.public.security)