Re: Administrator Logon to 1 DC only

Tech-Archive recommends: Fix windows errors by optimizing your registry

Anyone who can logon to your DCs in effect "owns" your domain.
This is why a DC is critical and important part of your infrastructure and should generally not have other roles or functions unrelated to Domain administration installed on them.
If your level of trust in these 3rd party apps Admins is such that you do not mind them being DAs then go ahead.
If this is not the case, you are in effect cruising for a bruising.

Regards,

Austin


"lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A076EA1B-EE74-467E-BB6C-B982BA9D7D49@xxxxxxxxxxxxxxxx
Cool... so although gpedit.msc can be fired up on the DC and it says 'Local
Computer Policy' at the root of the tree, any settings made here will be
ignored?

Cheers

"Danny Sanders" wrote:

> something messy like in the local policy of the other DC specifically > deny
> logon for the 3rd Party Account, could that work? is it possible?

Nope, DCs don't have a local policy.

hth
DDS

"lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2D5E7E1C-3248-43DA-8A83-ED76E9BD6882@xxxxxxxxxxxxxxxx
>I thought as much, been racking my brain about this for ages. >Unforunately
>no
> memeber servers :( Small shop setup... 2 servers... Instead of doing 1
> dedicated DC and 1 Dedicated App server, I did 2 DCs for redundancy, > and
> install the app to one...
>
> Hey ho.... domain admin they will have to have then... I thought maybe
> something messy like in the local policy of the other DC specifically > deny
> logon for the 3rd Party Account, could that work? is it possible?
>
> "Danny Sanders" wrote:
>
>> Can't be done.
>> You could move the app to a member server.
>>
>> hth
>> DDS
>>
>> "lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:607A30AE-FD44-4EE3-A3B6-854E6D6F2C28@xxxxxxxxxxxxxxxx
>> > Guys,
>> >
>> > Situation :
>> >
>> > 2 DCs in the domain, 1 DC acting as a DC only and holds all FSMO >> > roles.
>> > 2nd
>> > DC acting as a DC AND serving a 3rd Party Application.
>> >
>> > Question: Would like to restrict the third party to only be able to
>> > logon
>> > to
>> > the 2nd DC to administer the Application/Reboot the server. Can this >> > be
>> > done
>> > i.e. esentially giving them like a local admin account like you >> > would
>> > on a
>> > member server.
>> >
>> > Thanks much
>> >
>>
>>
>>




.

Relevant Pages

  • RE: The local policy of this system does not permit you to logon interactively
    ... "The local policy of this system does not ... permit you to logon interactively". ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot logon to server
    ... You try to logon the server, you get "The local policy does not permit ... Double-click the Local Policy branch to expand it, ...
    (microsoft.public.windows.server.sbs)
  • Re: Second DC cannot authenticate to other DC
    ... Disconnect any mapped drives that might already exist between the two DCs ... If it still fails to connect open the command ... > the SBS domain controller results in a logon prompt. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Locked out of W2K
    ... > not a users machine). ... I applied a local security policy restricting logon ... Assuming this is in the local policy and not domain policy, ... Windows 2000/XP/NT computer, or by installing a second copy of Windows ...
    (microsoft.public.win2000.security)
  • Re: Universal Group Membership Caching
    ... DCs, only one of them is a GC. ... this also works if you use upn logon. ... Universal Group Membership Caching is a function of the DCs in the site ... effect if the users logon to DCs in other sites that do not have UGMC ...
    (microsoft.public.windows.server.active_directory)