Re: "Server Operators" user rights on Domain Controllers
- From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Fri, 13 Oct 2006 17:52:03 +0200
either you trust those people or you don't, especially on a DC!
ONLY trusted domain admins should logon to a DC!!!
tell management that if those guys screw up his domain or forest is toast
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Tilburger" <Tilburger@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:778C5864-F746-445D-BD6A-F466CD934209@xxxxxxxxxxxxxxxx
My organization is deploying Windows 2003 Domain Controllers to remote
sites.
These remote sites are managed by local IT personel that are NOT "Domain
Adminis". The local IT personel at each site are members of the "Server
Operators" group in AD and the "local Admins" group on member servers.
Therefore they are able to manage member servers. (Install software, WSUS
updates, etc.)
Now management wants (agains my advise!) these local admins to be able to
have similar user rights on Domain Controllers. So they need to be able to
install software and security patches, actually they need similar user
rights
as the "local administrator" group has on member servers. Of cource there
is
no "local admin" group available for domain controllers, for good reasons.
The only alternative seems to be to add these remote site admins to the
"Domain Admins" group, which I definitely DO NOT want to do, because this
would give them excessive permissions at the domain level.
Adding the admins to the "Server operators" group in AD will give them
some
additional rights, but still they will be unable to perform some tasks
that
they (according to my management) need to perform.
I am fully aware that there are major security consequences to giving
admins
which you do not trust enough to make them "Domain Admins" elevated
permissions on domain controllers, but management wants it done anyway.
I would like to know if it's posible to assign users that are not members
of
the "Domain Admins" group, similar rights as a local admin groups would
have
on a member server, but then on a Domain Controller.
I hope someone is able to help.
.
- Prev by Date: Re: Backing up and restoring DHCP
- Next by Date: Re: LAB Replication of production AD
- Previous by thread: Re: "Server Operators" user rights on Domain Controllers
- Next by thread: Re: "Server Operators" user rights on Domain Controllers
- Index(es):
Relevant Pages
|
