Re: Grant Administrative Access to a Domain Controller

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance


Joe Richards [MVP] wrote:
Unless your tool is proxying their access to the DC itself it isn't
possible to lock someone down that has admin rights. Once someone has
admin rights on a DC and they know what they are doing they can do
anything they want to it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


MPerrault wrote:
Jorge de Almeida Pinto [MVP - DS] wrote:
let me re-phrase that...NO WAY!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx> wrote in message
news:8BA4F3AF-0D36-422C-A324-A363D4E7F959@xxxxxxxxxxxxxxxx
Not possible.

--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Archi" <Archi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AE76A0D2-4FF0-4011-A4DE-32688D71F844@xxxxxxxxxxxxxxxx
We have a group Domain Server Operators and we need to give them admin
rights
to domain controllers to restart services, install software and etc. But
they
should not have rights to Active directory

"Jorge Silva" wrote:

Hi
Can you explain exactly what do you need to do?
also have a look at :
Step-by-Step Guide to Using the Delegation of Control Wizard
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx

--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Archi" <Archi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:24F63807-E425-4294-AFFD-6A36ACD3DB97@xxxxxxxxxxxxxxxx
I need to give admin access to domain controllers for a certain domain
group
but without accessing Active directory.
Any options?

It is possible if you limit them AD acces by delegating them read only
acces in AD.
You can do this with Active administrator:

http://www.scriptlogic.com/products/activeadmin/
This will allow them rights on the DC, but limit there rights to AD.


Michael P. Perrault
MCSE, CCNA, A+, MBA
Senior Systems Engineer,
ScriptLogic Corporation

Michael.Perrault@xxxxxxxxxxxxxxx
www.scriptlogic.com
http://groups-beta.google.com/group/scriptlogic-desktop-authority


Of course you can lock yourself out of AD. I've seen it happen all the
time.

Michael P. Perrault
MCSE, CCNA, A+, MBA
Senior Systems Engineer,
ScriptLogic Corporation

Michael.Perrault@xxxxxxxxxxxxxxx
www.scriptlogic.com
http://groups-beta.google.com/group/scriptlogic-desktop-authority


.

Relevant Pages

  • Re: Denay replication in AD
    ... Don't give them rights to make changes in AD nor rights to DCs. ... Joe Richards Microsoft MVP Windows Server Directory Services ... Author of O'Reilly Active Directory Third Edition ... To disable outbound replication for a particuar DC, ...
    (microsoft.public.win2000.active_directory)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... Authentication" story and can relate to them all. ... the introduction of Active Directory. ... All rights ... > | Vincent Polite ...
    (microsoft.public.inetserver.iis.security)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... Authentication" story and can relate to them all. ... the introduction of Active Directory. ... All rights ... > | Vincent Polite ...
    (microsoft.public.inetserver.iis.security)
  • Re: ADAM Synchronizer Beta - question
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... >> Right is not granted to the account that is used to connect to AD. ... >> Dmitri Gavrilov ... >> SDE, Active Directory Core ...
    (microsoft.public.windows.server.active_directory)
  • Re: Moving DCs From Default OU ?
    ... You cannot protect against this in any way you dream up because it just cannot be done with Active Directory. ... You might as well make them Domain and Enterprise Admins, at least you will be honest with yourself them on what rights they have. ... Again, I don't care who told you otherwise, you cannot protect the AD from someone you give admin level rights or in fact even server operator rights or even less. ... In almost every case it the thought to do this is based on some misunderstanding on how Domain Security works or some stupid plan to have a pretty hierarchy. ...
    (microsoft.public.windows.server.active_directory)