Re: Secure Domain Contollers at Branch Offices
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Mon, 12 May 2008 19:54:04 -0400
Yes, but I think the answer really depends on many more factors than you
mentioned.
For example, what exactly is deployed on these domain controllers? Why are
they domain controllers? Are they locked rooms? Do these admins have
physical access to the domain controller machines? Why are the local site
administrators restarting services(this may fit with question 1)? What does
security mean to you? What does compromising "too much" mean in that
context?
There are more, but that's the base set of questions I think. Answers to
that should help guide the remainder of questions and help you get to a more
secure stance.
Al
"Bob Smith" <BobSmith@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B933D7DE-F6BD-4A3F-B6D6-0FF21355FC43@xxxxxxxxxxxxxxxx
We need to reduce the number of users in the Domain Admins group. We are
running Windows 2003 and are not looking to move to the next release for a
while. We have multi-function domain controllers at a number of branch
offices. Administrators have been placed in the Domain Admins group to
administer these servers.
How can we remove admins from the Domain Admins group but still allow them
to perform daily operations tasks on these servers (restart services,
setup
printers, logon locally, manage file security... etc). Has anyone come up
with a good security model for this without compromising security too
much.
Thanks
.
- References:
- Secure Domain Contollers at Branch Offices
- From: Bob Smith
- Secure Domain Contollers at Branch Offices
- Prev by Date: RE: Remote Active Directory serving as a global catalog.
- Next by Date: Samba Domain vs Windows Clustering
- Previous by thread: Secure Domain Contollers at Branch Offices
- Next by thread: Re: Secure Domain Contollers at Branch Offices
- Index(es):
Relevant Pages
|
