Re: Secure Domain Contollers at Branch Offices

From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
Date: Tue, 20 May 2008 22:23:49 +0200

it is either very difficult or impossible. AND it is for sure not a best practice! W2K8 RODCs should help you with this, but as you said not an option

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Bob Smith" <BobSmith@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:B933D7DE-F6BD-4A3F-B6D6-0FF21355FC43@xxxxxxxxxxxxxxxx

We need to reduce the number of users in the Domain Admins group. We are
running Windows 2003 and are not looking to move to the next release for a
while. We have multi-function domain controllers at a number of branch
offices. Administrators have been placed in the Domain Admins group to
administer these servers.

How can we remove admins from the Domain Admins group but still allow them
to perform daily operations tasks on these servers (restart services, setup
printers, logon locally, manage file security... etc). Has anyone come up
with a good security model for this without compromising security too much.

Thanks

References:
- Secure Domain Contollers at Branch Offices
  - From: Bob Smith

Prev by Date: Re: Granting exclusive rights to special folders
Next by Date: Re: delegate control
Previous by thread: Re: Secure Domain Contollers at Branch Offices
Next by thread: Samba Domain vs Windows Clustering
Index(es):
- Date
- Thread

Relevant Pages

Restrict Desktop Administrators Issue
... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
(microsoft.public.win2000.active_directory)
Restrict Desktop Administrators Issue
... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
(microsoft.public.win2000.group_policy)
Restrict Desktop Administrators Issue
... I run a small Win2k native mode network with 28 servers, ... Since these guys are Domain Admins my policy restriction ... them out of the Domain Admins group or something else? ... My desktop guys need to be administrators on all the ...
(microsoft.public.win2000.security)
Re: Restrict Desktop Administrators Issue
... Use the Restricted Groups section of Group Policy to add Desktop Support ... to the local Administrators group on the individual workstations. ... > admins are members of the Domain Admins group. ... > policy which denies them log on access to the servers OU. ...
(microsoft.public.win2000.active_directory)
Re: Restrict Desktop Administrators Issue
... Use the Restricted Groups section of Group Policy to add Desktop Support ... to the local Administrators group on the individual workstations. ... > admins are members of the Domain Admins group. ... > policy which denies them log on access to the servers OU. ...
(microsoft.public.win2000.group_policy)