Re: Delegate certain rights to a single Domain Controller

Interesting.
Please note that this hack does not eliminate all possible security risks,
and the users who are granted these rights need to be highly trusted


I have to ask though, if you have to highly trust these users why are you
bothering to change the permissions in the first place? That doesn't make
sense to me.

Al




"Todd J Heron" <todd_heron(delete)@hotmail.com> wrote in message
news:uv5COka0FHA.664@xxxxxxxxxxxxxxxxxxxxxxx
> You could try this, if you are convinced the admin in the UK does not and
> will not ever possess the knowledge to ever hack into the rest of your
> domain. It's sort of like playing poker, you don't know your opponents
> cards, and you can either play or fold.
>
> http://64.233.161.104/search?q=cache:iZ74ePhYZZgJ:hacks.oreilly.com/pub/h/1172+domain+admin+enterprise+hack&hl=en&lr=lang_en
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
>
> "Kevin" <Kevin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:E6A6C4B4-D44C-41F8-BBB7-DD0E986EE371@xxxxxxxxxxxxxxxx
> Thanks for address my question at the end of your post. That's all I
> needed
> to know.
>
> "Dmitri Gavrilov [MSFT]" wrote:
>
>> You should listen to what Joe says.
>>
>> If you think your domain admins can only modify stuff in their own
>> domain,
>> you are mistaken. They can do anything they want in the whole forest, if
>> they want to. It is not as straight-forward as just connecting over ldap
>> and
>> modifying objects normally, but it can be accomplished fairly easily.
>>
>> Anyway, the answer to your question is "no". You cannot grant him
>> permissions to his own DC only.
>>
>> In Longhorn, we are rectifying this specific scenario with a feature
>> called
>> ReadOnly DC.
>>
>> --
>> Dmitri Gavrilov
>> SDE, DS Admin eXperience
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Use of included script samples are subject to the terms specified at
>> http://www.microsoft.com/info/cpyright.htm
>>
>> "Kevin" <Kevin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:880A9C63-D115-417A-B85B-B9ABCF19CC25@xxxxxxxxxxxxxxxx
>> > Actually, each domain in our forest has their own domain admins and
>> > they
>> > cannot modify DCs across domains. Only the Enterprise domains can
>> > modify
>> > ALL
>> > DCs. I appreciate your thoughts. I guess I wasn't asking for opinions
>> > about
>> > what I want to do as much just asking "if" I can do what I want to do.
>> > Every
>> > company has their own security situations. It's hard to categorically
>> > state
>> > how every network security model should be setup.
>> >
>> > But again, I do appreciate your thoughts.
>> >
>> > Kevin
>> >
>> > "Joe Richards [MVP]" wrote:
>> >
>> >> You can't, the moment you allow someone to modify a single DC they
>> >> have
>> >> the
>> >> opportunity to modify the entire Forest regardless of what you *think*
>> >> you have
>> >> delegated. The only people who should have rights to modify things on
>> >> DCs
>> >> are
>> >> domain admins and the same domain admins should be the domain admins
>> >> of
>> >> every
>> >> domain in the forest and also the enterprise admins. The domain and
>> >> the
>> >> domain
>> >> controller are NOT security boundaries. The forest is the security
>> >> boundary.
>> >>
>> >> --
>> >> Joe Richards Microsoft MVP Windows Server Directory Services
>> >> www.joeware.net
>> >>
>> >>
>> >> Kevin wrote:
>> >> > I work for a US based company, but we have one site in the UK. We
>> >> > have
>> >> > a
>> >> > consultant in the UK that does most of the hands on work. I need to
>> >> > give this
>> >> > consultant rights to the DC in that office (UK), but I do not want
>> >> > him
>> >> > to
>> >> > have rights on all of our other DC's in the US.
>> >> >
>> >> > Because it's a DC, there is not local admin group. How can I give
>> >> > this
>> >> > consultant admin rights on just this one DC?
>> >> >
>> >> > thanks,
>> >> > Kevin
>> >>
>>
>>
>>
>


.