RE: AD Question

From: Brian W. Spolarich (
Date: 05/01/03

  • Next message: Arnold, Jamie: "RE: Outlook Security Settings removed"
    Date: Thu, 1 May 2003 08:52:43 -0400
    To: <>, <>

    Diego Rivero - Decidir IT wrote:
    > Hi, I have a question.
    > I want to assign administrators rights to a user domain in a machine
    > running W2K Server, the problem is that the machine is domain server,
    > I dont want to make that user member of the domain admin group, He
    > only needs to have administrators rights on the local machine.

      This is not possible. By promoting the machine to become an Active Directory Controller (ADC), you effectively replace the local SAM database with the domain one. ADCs have no local SAM, and all local machine accounts become domain accounts.

      When you promote a machine you will be prompted to specify an "Active Directory Services Restore Mode" password or somesuch. This is essentially the password for the local Administrator acccount that will be used if/when you demote the machine back to a normal domain "member server" sometime in the future. But while the machine is an ADC, it only has domain accounts.

      The intended deployment model for ADCs is to have them be on dedicated hardware that is only used for providing ADC and similar infrastructure services (i.e. Internet Authentication Services, DNS, etc). That's obviously not always practical is very small deployments, so you'll either have to live with the security exposures, or deploy additional hardware to isolate your ADC hosts from the rest of your network functions.


    FastTrain has your solution for a great CISSP Boot Camp. The industry`s most
    recognized corporate security certification track, provides a comprehensive
    prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
    of pertinent security tools. For a limited time you can enter for a chance
    to win one of the latest technological innovations, the SEGWAY HT.
    Log onto

  • Next message: Arnold, Jamie: "RE: Outlook Security Settings removed"