Re: delegation for "Server Operators" on Member Servers
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Sat, 15 Jul 2006 13:08:17 -0400
DCs really shouldn't be delegated to lesser admins. Anything that allows a lesser person to futz with services (other than simple stop/start), files, and processes on the machine opens you up for compromise and privilege escalation.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
============================================================================
Do not read this worthless blog entry on
Defending Security Infrastructures http://blog.joeware.net/2006/07/11/445/
I'm serious, you will learn absolutely nothing about
Defending Security Infrastructures.
============================================================================
Daniel Sorokins wrote:
Thank for you response. its important your comment..
I need for a group of user (in all servers windows 2000: dc or members):
stop and start services.
kill process
restart computer.
this group of users support "problems" 7x24 (not software install-no fixes install-no adm AD) but if exist a problem with a process, they should repair the problem (stop, start, kill, reboot).
I view "complex" setting ACL for each services with GPO (Dc GPO and members servers GPO).
Thanks
"Joe Richards [MVP]" wrote:
You know that a server operator on a DC can become an Enterprise Admin pretty much anytime they want to right?
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
============================================================================
Do not read this worthless blog entry on
Defending Security Infrastructures http://blog.joeware.net/2006/07/11/445/
I'm serious, you will learn absolutely nothing about
Defending Security Infrastructures.
============================================================================
Daniel Sorokins wrote:What is the recomendation for create server operator rol on members servers.
I need:
change time (I think use GPO - user right)
down server ( GPO- user right)
kill process ( act as op sys- user right)
stop and start all services ( gpo services acl?.....)
schedule task (gpo user right)
I use AD "server operator" rol with DC servers, but my IT Security Group request create this new rol with the minimum rights.
thank for comments.
- References:
- Re: delegation for "Server Operators" on Member Servers
- From: Joe Richards [MVP]
- Re: delegation for "Server Operators" on Member Servers
- Prev by Date: Re: SYSVOL replication stops after DCPROMO
- Next by Date: Re: domain controller with file server consequences
- Previous by thread: Re: delegation for "Server Operators" on Member Servers
- Next by thread: In-place upgrade failure
- Index(es):
Relevant Pages
|
