Re: Administrator but not Domain Admin

Have him sign a document ... stating that he will handle the password appropriately, provide you a list of all employees that have access...etc...etc Put a bit of fear of God into him.

Robert Trebor wrote: 
          Simple: he won't fix the old software otherwise; says he has some
sort of tool that won't run from a user account on a workstation. We tried
limiting him to a workstation but he just threw a fit. Meanwhile, the client
needs the old software fixed-- now. I just added some explicit denys on the
AD tools, which should help. I'd be happy to get it to the point of "he
could elevate himself if he put his mind to it but probably can't be
bothered and may not have the technical expertise." After he fixes the
software, presumably we can remove all the access. I was just surprised that
a machine admin could elevate himself to domain admin; that seems to be all
wrong. The reverse I do understand; I can see that the Domain Admins group
is actually found in Administrators, so all Domain Admins are
Administrators. But machine to domain admin? Counter-intuitive if you ask
me.

"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@xxxxxxxxxxx>
wrote in message news:uZbga3VbFHA.4040@xxxxxxxxxxxxxxxxxxxxxxx

Why did this software vendor 'demand' Admin access and if he truly has
to have it.... I'd have him sign an imdenifiication agreement...he has
the keys to your kingdom.

Robert Trebor wrote:

         I need to make a software vendor an administrator on a server
running SBS 2003. He demanded this access and the client caved in, so


I'm

stuck. We don't want him to be a domain administrator if at all 

possible,

though, so he can't see another, new server on the network running a
competitor's software-- what's eventually going to replace his. Old


Vendor's

software hasn't been fully retired yet and needs immediate maintenance.
Again, I'm stuck with the situation and have to make the best of it. I
started with explicit denys on the other server and unnecessary shares


on

the SBS. I made Old Vendor an administrator, but I see that that gives 

him

the ability to make himself a Domain Admin-- which would let him change
permissions on the other server, among other things. What can I do to
prevent Old Vendor from giving himself Domain Admin privileges while


still

allowing him to log on to the SBS? It doesn't have to be 100% 

bulletproof

but I would like to give some reasonable assurance to the client that 

Old

Vendor is limited to the SBS, where Old Software is installed.





.

Relevant Pages

  • Re: Domain Admins Not Fully In Local Administrators
    ... ONLY REQUIRED ON THIS NEW SERVER WITH WINDOWS 2003! ... Windows 2003 domain controllers ... Domain Admin can login into the server "A" ... Domain Admin group is listed in local Administrators group ...
    (microsoft.public.security)
  • Re: Server Security
    ... In my opinion you want accountability for administrators and each administrator ... "The" administrator account should not be used and given a very long ... make sure that if there is sensitive information on that server, ... > name with domain admin rights on each. ...
    (microsoft.public.win2000.security)
  • Re: Exchange 2000 containers (Fields) not showing up in active directory!!
    ... Don't need to log on with a domain admin ID. ... exchange should be done, there is a chapter in the up and coming Windows Server ... Joe Richards Microsoft MVP Windows Server Directory Services ... >>be managing users directly from domain controllers, ...
    (microsoft.public.win2000.active_directory)
  • Re: How can I prevent a TS user from TS or RDP to another server?
    ... And why do they need to be a Domain Admin in order to ... on the one server, then you can use standard methods of the ... to control where that domain user account may be used. ... I just want them to be able to TS or RDP to this box only and if they ...
    (microsoft.public.win2000.security)
  • Re: errors running scheduled tasks
    ... i changed the "run as" user to the domain admin ... Policy\Local Policies\User Rights Assignments ... "Log on as a batch job" thing, but i could not find that on the win2003 server ...
    (microsoft.public.windows.server.general)