Re: How to restrict DC privileges for Site Admins?
- From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
- Date: Mon, 20 Nov 2006 12:08:00 -0000
Hi
By allowing those admins to log on into to the DCs you're granting them the necessary rights so that they can do whatever they want, even if they're members of backup operators or any other lowlevel group.
- If you don't trust them don't allow them to logon in the DC(s) - That's it no discussion.
You said that they need to perform maintenance tasks on the DCs, Like Backups and shutdown/restart the server, create user accounts, well to perform these tasks these admins don't need to logon the server, they can do that remotely with mmc console, etc...
Look in security GPO configurations and grant or deny the necessary rights to these users, example: by default the Members of Backup operators have the right to logon locally in the server you can deny that right.
The best is not to have these admins members of any of the protected group, because of the AdminSDHolder behavior, you can look for that in MS site. So create your own groups, grant the necessary permissions to them and make these admins members of that group, For example to grant the rigthto restart the server go to the security and allow that group to shutdwn the server, to allow that group to backup files grant them the right to backup and restore files on users rights assignement.
--
I hope that the information above helps you
Good Luck
Jorge Silva
MCSA + Exchange + MSCE
"Paul" <paul.newsgroups@xxxxxxxxx> wrote in message news:1164010769.098056.38740@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi
I have "inherited" the responsibility for a relatively large domain
with 25 sites.
We are running W2K Servers all around (but will upgrade the DCs to W2K3
within a month)
For several reasons each of these sites have one domain controller in
addittion to exchange servers and other memberservers.
Normal delegation of privileges has been done (Each site is in a
separate OU with delegation of full control to local admin).
My problem, however, is the domain controller: At least one of the
local administrators on each site needs to have certain privileges on
his/her "own" domain controller in order to perform relatively simple
tasks, such as clear (backup) the security log, simple preventative
maintenance tasks, reboot the server etc.
The way this has been solved previously was to give one administrator
at each site membership in the Administrators group (and telling them
to behave...)
I am obviously not very happy with this situation, and I would like to
tighten security as much as possible.
Perhaps I'm missing something very obvious, but so far I've had no luck
finding a way to restrict the privileges they are granted today.
My question is this: Is it possible to grant privileges equivalent to
"local machine administrator" on one domain controller without granting
privileges in AD, or on other domain controllers?
Note: I am aware that there will always be a security risk as long as
someone has physical access to the domain controller. I do trust my
administrators to not use any hacker methods to get access, but I am
not comfortable with having 25 individuals (with a varying degree of
competence...) with unrestricted access in the domain...
regards
Paul
.
- Follow-Ups:
- References:
- Prev by Date: Re: AD Replication
- Next by Date: Re: Script a Bulk Modification of ALL AD users?
- Previous by thread: How to restrict DC privileges for Site Admins?
- Next by thread: Re: How to restrict DC privileges for Site Admins?
- Index(es):
Relevant Pages
|
