Re: Administrator Logon to 1 DC only

Hey Austin,

Okay, no, I am past the limiting admin privileges.... and have accepted it
:) Thanks for drilling it into me

Over the weekend I am going to create another DC on VMware Server and then
demote the DC running the app and then letting the 3rd party do what they
like.

However it is bugging me now what GPEDIT.msc on the DC does... or aleast
confusing me, as the root of it says 'Local Computer Policy'

"Austin Osuide" wrote:

Hi,
You are still thinking along the lines of limiting admin privileges to the
app on the DC i.e. making them members of the Builtin administrators group.
The folly in this is that you cannot prevent that admin from elevating his
privileges to DA if he so wishes.
You are much much better of finding a cheaper box to run as your DC and
leaving 3rd party app on its own or vice versa. Trust me.
If you loose your DCs, the 3rd party app itself is redundant anyway so DCs
win all the time. If you can't get your management to see this, you are in
trouble anyway.

Regards,

Austin

"lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F826D178-F9C4-4351-B7A7-8EE1D37339C8@xxxxxxxxxxxxxxxx
Austin,

'If this is not the case, you are in effect cruising for a bruising.'

-believe me I am taking the pain now... This was my first implementation a
while ago, but typical of a small business scenario, where 2 servers is
the
typical buy and no more... and management of this company want everything
for
nothing, got sold the 'dream' from an app vendor, who really dont give a
damn
now, as they have taken their payment and clearly dont know what they are
doing, there support is absolutely terrible... such is life

However, could you explain what GPEDIT.msc on the DC is? As it does say
'Local Computer Policy' at the root of tree... do settings made here have
any
impact on a DC itself?


"Austin Osuide" wrote:

Anyone who can logon to your DCs in effect "owns" your domain.
This is why a DC is critical and important part of your infrastructure
and
should generally not have other roles or functions unrelated to Domain
administration installed on them.
If your level of trust in these 3rd party apps Admins is such that you do
not mind them being DAs then go ahead.
If this is not the case, you are in effect cruising for a bruising.

Regards,

Austin


"lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A076EA1B-EE74-467E-BB6C-B982BA9D7D49@xxxxxxxxxxxxxxxx
Cool... so although gpedit.msc can be fired up on the DC and it says
'Local
Computer Policy' at the root of the tree, any settings made here will
be
ignored?

Cheers

"Danny Sanders" wrote:

something messy like in the local policy of the other DC
specifically
deny
logon for the 3rd Party Account, could that work? is it possible?

Nope, DCs don't have a local policy.

hth
DDS

"lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2D5E7E1C-3248-43DA-8A83-ED76E9BD6882@xxxxxxxxxxxxxxxx
I thought as much, been racking my brain about this for ages.
Unforunately
no
memeber servers :( Small shop setup... 2 servers... Instead of doing
1
dedicated DC and 1 Dedicated App server, I did 2 DCs for redundancy,
and
install the app to one...

Hey ho.... domain admin they will have to have then... I thought
maybe
something messy like in the local policy of the other DC
specifically
deny
logon for the 3rd Party Account, could that work? is it possible?

"Danny Sanders" wrote:

Can't be done.
You could move the app to a member server.

hth
DDS

"lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:607A30AE-FD44-4EE3-A3B6-854E6D6F2C28@xxxxxxxxxxxxxxxx
Guys,

Situation :

2 DCs in the domain, 1 DC acting as a DC only and holds all FSMO
roles.
2nd
DC acting as a DC AND serving a 3rd Party Application.

Question: Would like to restrict the third party to only be able
to
logon
to
the 2nd DC to administer the Application/Reboot the server. Can
this
be
done
i.e. esentially giving them like a local admin account like you
would
on a
member server.

Thanks much









.

Relevant Pages

  • Re: Administrator Logon to 1 DC only
    ... nothing, got sold the 'dream' from an app vendor, who really dont give a damn ... 'Local Computer Policy' at the root of tree... ... If your level of trust in these 3rd party apps Admins is such that you do ... You could move the app to a member server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: XP & W2K server User rights need help
    ... before did not install the apps as admin. ... >behaved app. ... >> server non of the users had accounts only the computers ...
    (microsoft.public.windowsxp.security_admin)
  • Re: OT question about small office server
    ... >> Server, ... Admin means you are a domain admin, ... adding remote users @ the box and selecting them from the Domain list. ... shared app that won't work over low bandwidth rather than software costs. ...
    (comp.security.misc)
  • Error 3260, Could not update;
    ... currently locked by user 'ADMIN' on ... This is a custom made app that is a front end to a centrally located ... The user opens an icon on the desktop, the RDC screen opens, the user ... logs in to the server then the app runs automatically. ...
    (microsoft.public.windowsxp.general)
  • Re: Trouble Launching Apps
    ... The application can only be run by the user admin - no other users, ... regardless if they also installed the app, ... installation, and WHILE THE SERVER IS STILL IN INSTALL MODE. ...
    (microsoft.public.windows.terminal_services)