Re: Grant Administrative Access to a Domain Controller
- From: "MPerrault" <mperrault@xxxxxxxxxxxxxxx>
- Date: 27 Dec 2006 23:35:42 -0800
Jorge de Almeida Pinto [MVP - DS] wrote:
OK, let me try to ask the question as pointed out by the original poster...
He wants some group of persons to:
(1) install software on a DC
(2) restart services on a DC
He does not want that same group of persons
(3) to be domain admin
(4) change ANYTHING in AD in ANY way...
if you guys (Mike and Matt) feel the problem/issue has been described
correctly, please explain to me in detailed steps how you are going to
configure things so that the original poster is able to accomplish
requirements (1), (2), (3) and (4)...
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"mfarr" <mfarr@xxxxxxxxxxxxxxx> wrote in message
news:1167249029.682242.42270@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Archi one other thing . .
To clarify, this user cannot be a member of the domain admins group,
but shouldn't be if they are not managing AD. Use the capability of AD
to delegate the appropiate rights.
Matt
mfarr wrote:
Archi,
My colleague Mike is correct in saying you can deny access to Active
Driectory but still allow logon to the DC's. To do this, delegate read
only rights to your restricted administrator to everything within AD
then add that user to the list of accounts that can log on locally to
the dc within the Domain Controller Security Policy. Within the Domain
Controller Security Policy are also options to log on as a service,
etc for management functionality.
I recommend checking out Active Administrator from Scriptlogic to
handle the delegations of control within AD. With Active Administrator
you can easily configure these restricted permission within AD for your
admins via permissions templates that even self heal. Good luck.
Matt
Archi wrote:
We have a group Domain Server Operators and we need to give them admin
rights
to domain controllers to restart services, install software and etc.
But they
should not have rights to Active directory
"Jorge Silva" wrote:
Hi
Can you explain exactly what do you need to do?
also have a look at :
Step-by-Step Guide to Using the Delegation of Control Wizard
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE
"Archi" <Archi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:24F63807-E425-4294-AFFD-6A36ACD3DB97@xxxxxxxxxxxxxxxx
I need to give admin access to domain controllers for a certain
domain
group
but without accessing Active directory.
Any options?
I had a few people email me on how to do this outside this forum, so i
thought i would post it here for all.
Ok here you go step by step on how to do this:
(you are doing all of this while logged in as an Domain Admin)
1. Create an account (or elevate an existing one) and allow them full
access to AD from the top of the domain in the mmc console users and
computers. (this is the backup account you will need to reset perms
back to the way they were and make sure they have admin rights on all
abjects you want to manage within AD)
2. At the top level of the domain, change the ownership of the domain
from Domain Admins to your Elevated account. (this is done so not to
lock yourself out)
3. Deny permissions at the top for domain admins as well as Enterprise
admin groups, then hit apply, and ok. You will get a warning about
deny perms. click ok, and close the properties box.
4. Now you are denied access to AD, however you are still allowed to
perform administrative tasks to the DC.
admin you will get denied access.From here if you try to open the mmc console while logged in as the
I know the next comment will be that the refresh of the AdminSDHolder
will take place and the permissions will be reset. this is true for
the objects inside of AD, not AD itself. The part that has been denied
access is the outside outer or beginning part of AD. If you can't get
past this you can not get in. This part is not reset because it is not
affected by the AdminSDHolder refresh. You can also disable the
AdminSDHolder for the "sacred" accounts if you like as well.
Here is the error you will get for trying to access AD through the MMC
:
" Naming information cannot be located because:
the specified directory service attribute or value does not exist.
Contact you current admin to verify that AD is correctly configured and
online."
then:
"The directory schema is not accessible because:
An invalid directory pathname was passed,
for this reason, the new menu may be inaccurate, and extension snap-ins
may not work properly."
and then:
Data from AD users and computers is not available from domain
controller (null) because:
unspecified error
try again later, or choose another domain controller by selecting
connect to domain controller on the domain context menu."
the beauty of this is you can logon to the DC as an admin and still
perform admin tasks because you are still allowed in the dc policy, but
you cannot manipulate AD.
If you logoff and login as the admin you still authenticate even though
you can't access AD (this is by design).
Jorge to answer the questions:
1. Your admins group can install software
2. They can restart services
3. They are a domain admin
4. they do not have acess in AD
Now, to reset this you can just perform a run as or login with account
created earlier and reset permissions back to the way they were,
remember you delegated full AD perms to this account, even though it
was not in the domain admins group.
And honestly, if anyone does find a way to get access to AD through MS
tools let me know, There is always something new.
Michael P. Perrault
MCSE, CCNA, A+, MBA
Senior Systems Engineer,
ScriptLogic Corporation
Michael.Perrault@xxxxxxxxxxxxxxx
www.scriptlogic.com
.
- Follow-Ups:
- Re: Grant Administrative Access to a Domain Controller
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Grant Administrative Access to a Domain Controller
- References:
- Re: Grant Administrative Access to a Domain Controller
- From: Jorge Silva
- Re: Grant Administrative Access to a Domain Controller
- From: mfarr
- Re: Grant Administrative Access to a Domain Controller
- From: mfarr
- Re: Grant Administrative Access to a Domain Controller
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Grant Administrative Access to a Domain Controller
- Prev by Date: merging domains
- Next by Date: Re: Automatic installation of device
- Previous by thread: Re: Grant Administrative Access to a Domain Controller
- Next by thread: Re: Grant Administrative Access to a Domain Controller
- Index(es):
Relevant Pages
|
Loading
