Re: Child Local Administrators
- From: Ulf B. Simon-Weidner [MVP] <nospam2-ulf@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 21 Apr 2006 22:49:37 +0200
Craig says...
Hi, sorry to refresh the time stamp on this posting, I was hoping
someone had some experience with the Microsofts Best practice for
delegating Active Directory Service Administration. Can anyone share
the similiar polictical battle when the owner of a Child domain in the
forest weree asking for such elevated rights. Is it safe to delegate
Domain Configuration and DC Administor rights (both of which are
members of the local administrators group in the child) to a seperate
business area without compromising the whole forest? I'm always nervous
becasue with these rights you have access to the child domains DC that
has SYSVOL, access to the file system where the AD database file(s)
etc... The problem is this seperate business area are only accountable
for the child domain not the forest.
I've posted the URL to the MS best practise.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid2.mspx
Hi Craig,
is it save to grant someone physical access to a DC? Or to your network?
Being save and secure is always a shade of gray - never black or white. Someone
who has physical or admin-access to a DC is always able to crack other accounts
on the box. Someone with domain admin rights is always able to gain domain or
enterprise admin rights in other domains of the forest.
However those tasks require the skill and criminal energy to do so.
I would prefer not to grant many admins write access to the configuration
partition, mainly to protect the ones which are not educated enough. If you
have admins of downlevel domains which need to preform tasks which require
access to the configuration partitions, check the ad delegation whitepaper and
KB if you are not able to delegate just the required parts.
And the bottom line is - decide depending on the skills of the admins and how
much you can trust them. If you can't trust them don't give them user-accounts
;-) If you can trust them but don't trust their skills delegate as strict as
possible and educate them how to perform those tasks.
--
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
.
- References:
- Child Local Administrators
- From: Craig . Horsfield
- Re: Child Local Administrators
- From: Craig
- Child Local Administrators
- Prev by Date: Re: Directory Services Restore Mode Administrator Password question
- Next by Date: Re: Directory Services Restore Mode Administrator Password question
- Previous by thread: Re: Child Local Administrators
- Next by thread: ADUC help
- Index(es):
Relevant Pages
|
