Re: Administrator Logon to 1 DC only
- From: "Austin Osuide" <austin@xxxxxxxxxxx>
- Date: Sat, 1 Dec 2007 13:16:19 -0000
Hi,
A DC is also a computer and they all have a local computer policy which is what you see using gpedit.msc. Nothing strange there.
The settings on the LCP on the DC are modified or set by the Default Domain Controller policy which is a Domain GPO.
You are unlikely to configure the security settings of your DCs using each machines local policies.
Regards,
Austin
"lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:17226083-799C-4B2F-90A5-8CD9AE1C52A8@xxxxxxxxxxxxxxxx
Hey Austin,
Okay, no, I am past the limiting admin privileges.... and have accepted it
:) Thanks for drilling it into me
Over the weekend I am going to create another DC on VMware Server and then
demote the DC running the app and then letting the 3rd party do what they
like.
However it is bugging me now what GPEDIT.msc on the DC does... or aleast
confusing me, as the root of it says 'Local Computer Policy'
"Austin Osuide" wrote:
Hi,
You are still thinking along the lines of limiting admin privileges to the
app on the DC i.e. making them members of the Builtin administrators group.
The folly in this is that you cannot prevent that admin from elevating his
privileges to DA if he so wishes.
You are much much better of finding a cheaper box to run as your DC and
leaving 3rd party app on its own or vice versa. Trust me.
If you loose your DCs, the 3rd party app itself is redundant anyway so DCs
win all the time. If you can't get your management to see this, you are in
trouble anyway.
Regards,
Austin
"lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F826D178-F9C4-4351-B7A7-8EE1D37339C8@xxxxxxxxxxxxxxxx
> Austin,
>
> 'If this is not the case, you are in effect cruising for a bruising.'
>
> -believe me I am taking the pain now... This was my first > implementation a
> while ago, but typical of a small business scenario, where 2 servers is
> the
> typical buy and no more... and management of this company want > everything
> for
> nothing, got sold the 'dream' from an app vendor, who really dont give > a
> damn
> now, as they have taken their payment and clearly dont know what they > are
> doing, there support is absolutely terrible... such is life
>
> However, could you explain what GPEDIT.msc on the DC is? As it does say
> 'Local Computer Policy' at the root of tree... do settings made here > have
> any
> impact on a DC itself?
>
>
> "Austin Osuide" wrote:
>
>> Anyone who can logon to your DCs in effect "owns" your domain.
>> This is why a DC is critical and important part of your infrastructure
>> and
>> should generally not have other roles or functions unrelated to Domain
>> administration installed on them.
>> If your level of trust in these 3rd party apps Admins is such that you >> do
>> not mind them being DAs then go ahead.
>> If this is not the case, you are in effect cruising for a bruising.
>>
>> Regards,
>>
>> Austin
>>
>>
>> "lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:A076EA1B-EE74-467E-BB6C-B982BA9D7D49@xxxxxxxxxxxxxxxx
>> > Cool... so although gpedit.msc can be fired up on the DC and it says
>> > 'Local
>> > Computer Policy' at the root of the tree, any settings made here >> > will
>> > be
>> > ignored?
>> >
>> > Cheers
>> >
>> > "Danny Sanders" wrote:
>> >
>> >> > something messy like in the local policy of the other DC
>> >> > specifically
>> >> > deny
>> >> > logon for the 3rd Party Account, could that work? is it possible?
>> >>
>> >> Nope, DCs don't have a local policy.
>> >>
>> >> hth
>> >> DDS
>> >>
>> >> "lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:2D5E7E1C-3248-43DA-8A83-ED76E9BD6882@xxxxxxxxxxxxxxxx
>> >> >I thought as much, been racking my brain about this for ages.
>> >> >Unforunately
>> >> >no
>> >> > memeber servers :( Small shop setup... 2 servers... Instead of >> >> > doing
>> >> > 1
>> >> > dedicated DC and 1 Dedicated App server, I did 2 DCs for >> >> > redundancy,
>> >> > and
>> >> > install the app to one...
>> >> >
>> >> > Hey ho.... domain admin they will have to have then... I thought
>> >> > maybe
>> >> > something messy like in the local policy of the other DC
>> >> > specifically
>> >> > deny
>> >> > logon for the 3rd Party Account, could that work? is it possible?
>> >> >
>> >> > "Danny Sanders" wrote:
>> >> >
>> >> >> Can't be done.
>> >> >> You could move the app to a member server.
>> >> >>
>> >> >> hth
>> >> >> DDS
>> >> >>
>> >> >> "lozza" <lozza@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> news:607A30AE-FD44-4EE3-A3B6-854E6D6F2C28@xxxxxxxxxxxxxxxx
>> >> >> > Guys,
>> >> >> >
>> >> >> > Situation :
>> >> >> >
>> >> >> > 2 DCs in the domain, 1 DC acting as a DC only and holds all >> >> >> > FSMO
>> >> >> > roles.
>> >> >> > 2nd
>> >> >> > DC acting as a DC AND serving a 3rd Party Application.
>> >> >> >
>> >> >> > Question: Would like to restrict the third party to only be >> >> >> > able
>> >> >> > to
>> >> >> > logon
>> >> >> > to
>> >> >> > the 2nd DC to administer the Application/Reboot the server. >> >> >> > Can
>> >> >> > this
>> >> >> > be
>> >> >> > done
>> >> >> > i.e. esentially giving them like a local admin account like >> >> >> > you
>> >> >> > would
>> >> >> > on a
>> >> >> > member server.
>> >> >> >
>> >> >> > Thanks much
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
.
- References:
- Re: Administrator Logon to 1 DC only
- From: lozza
- Re: Administrator Logon to 1 DC only
- From: Austin Osuide
- Re: Administrator Logon to 1 DC only
- From: lozza
- Re: Administrator Logon to 1 DC only
- Prev by Date: Re: change pass GPO
- Next by Date: Re: Can you point AD to a specific DC?
- Previous by thread: Re: Administrator Logon to 1 DC only
- Next by thread: Re: GP update
- Index(es):
Relevant Pages
|
