Re: Branch Office DC Best Practice
- From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Wed, 21 Jun 2006 15:08:40 +0200
as YOU say in another post..."I rather do something to increase security
than doing nothing."
letting ordinary users/admins logon to DCs, really increases security...
NOT!
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:uld6JLTlGHA.4212@xxxxxxxxxxxxxxxxxxxxxxx
and I think YOU need to understand that IF someone at some DC gets control
of that only DC, he has control of the other DCs
remember this: the forest is the security boundary, not the domain and not
the DC
do you understand that?
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:uBAO5FTlGHA.4536@xxxxxxxxxxxxxxxxxxxxxxx
Once again you're wrong. You need to Open your mind, you can control for
example who logs in a particular DC, you don't have to allow 1 user to
login in all DC, instead of logging only at a particular DC.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:u2X8eyRlGHA.4536@xxxxxxxxxxxxxxxxxxxxxxx
as I said.. not possible
if you have control over just one DC (no matter in what domain or
whatever), you have them all!
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:OEL4EhLlGHA.4284@xxxxxxxxxxxxxxxxxxxxxxx
we are not talking about make the office admins "Administrators" of the
DCs, we are talking about give to some office admins control over their
office DCs only.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in
message news:Om6gcYLlGHA.836@xxxxxxxxxxxxxxxxxxxxxxx
Create a separate OU for each office DC, and delegate controlseparately. (Link Doman controllers Policy to that OU)
you cannot make someone admin only one DC while not giving access to
other DCs...
what I mean is: either he gives access to ALL DCs or none
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:O80OcOLlGHA.4508@xxxxxxxxxxxxxxxxxxxxxxx
won't work. it is all or nothing... and as for DCs it is better
"NOTHING" for regular users/admins
???
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
"Jorge de Almeida Pinto [MVP]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in
message news:%23iLijrKlGHA.4180@xxxxxxxxxxxxxxxxxxxxxxx
won't work. it is all or nothing... and as for DCs it is better
"NOTHING" for regular users/admins
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)-->
http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:OXPC$SIlGHA.1936@xxxxxxxxxxxxxxxxxxxxxxx
Hi
- I' assuming that you have only one domain, and several sites
In line
I do not want them all to be Domain Admins.
Good point. MAKE Sure you Don't, that's why Microsoft Designed
Delegation of control.
Heres what I was thinking...
1) Create an OU for each Office and a group for each set of techs
- Make sure that you create the security group in a OU at the same
level as other Office OUs, this prevents members of that group from
give permissions to itself.
- Depending of your needs, generally you should create sub OUs to
Servers, Workstations and Servers.
2)Delegate Control on the OU for each office giving the techs full
control
Ok, don't forget, the Group must be in a different OU at the same
level as the others.
3)Create gpo setting restricted groups so that local admins
includes,
Domain Admins, the local tech group and Administrator and link to
the
OU.
- Sounds good.
So far I think that covers everything except the DC at the site.
They
need to be able to do backups and server maintenance. But if I
add
each group to the local Server admins for the domain they will
have
permission on all DC's
- Create a separate OU for each office DC, and delegate control
separately. (Link Doman controllers Policy to that OU)
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA
Systems Administrator
<kessenj@xxxxxxx> wrote in message
news:1150814476.716569.295500@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We have several branch offices. Each office has a tech group and
several servers, including a DC.
I want the local tech group to have full control of everything at
thier
own site (including user accounts, groups and computer accounts),
but
as little as possible in anyone elses.
I do not want them all to be Domain Admins.
Heres what I was thinking...
1) Create an OU for each Office and a group for each set of techs
2)Delegate Control on the OU for each office giving the techs full
control
3)Create gpo setting restricted groups so that local admins
includes,
Domain Admins, the local tech group and Administrator and link to
the
OU.
So far I think that covers everything except the DC at the site.
They
need to be able to do backups and server maintenance. But if I
add
each group to the local Server admins for the domain they will
have
permission on all DC's
Any thoughts??
.
- Follow-Ups:
- Re: Branch Office DC Best Practice
- From: Jorge Silva
- Re: Branch Office DC Best Practice
- References:
- Branch Office DC Best Practice
- From: kessenj
- Re: Branch Office DC Best Practice
- From: Jorge Silva
- Re: Branch Office DC Best Practice
- From: Jorge de Almeida Pinto [MVP]
- Re: Branch Office DC Best Practice
- From: Jorge Silva
- Re: Branch Office DC Best Practice
- From: Jorge de Almeida Pinto [MVP]
- Re: Branch Office DC Best Practice
- From: Jorge Silva
- Re: Branch Office DC Best Practice
- From: Jorge de Almeida Pinto [MVP]
- Re: Branch Office DC Best Practice
- From: Jorge Silva
- Re: Branch Office DC Best Practice
- From: Jorge de Almeida Pinto [MVP]
- Branch Office DC Best Practice
- Prev by Date: Re: DNS recovery
- Next by Date: Re: Firewall between DC and member servers
- Previous by thread: Re: Branch Office DC Best Practice
- Next by thread: Re: Branch Office DC Best Practice
- Index(es):
Relevant Pages
|
Loading
