Re: AD Domain Administrator Priv/rights

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 09/30/05 

Date: Fri, 30 Sep 2005 06:42:21 -0700

Marc,

As an added clarification, if it is only fille control, then one may also
want to examine where/how resources are being deployed, as those
could easily, and many would say should, be placed on a non-DC,
guarding the DCs from unneeded exposures (to skill levels that is). 

-- 
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"Marc Johnson" <MarcJohnson@discussions.microsoft.com> wrote in message 
news:2FB136F4-E416-4ED1-8735-56A82DCDA414@microsoft.com...
> Thank you Steve.  Sounds like I need Sr. Mgt to claify their role.
>
> Marc
>
> "Steven L Umbach" wrote:
>
>> If all you want to do is to manage access to files/folders then modify 
>> share
>> and ntfs permissions for the users that need access which could be 
>> regular
>> domain users assuming you are not talking about the administrative shares
>> such as C$. If you want the user to install applications on a domain
>> controller then they would need to be an administrator for the domain 
>> unless
>> the application is a .msi package that can be published via Group Policy
>> Software Installation. If you could be more specific on exactly what you
>> need these users to do someone on this newsgroup could probably be of
>> lp.   --- Steve
>>
>>
>> "Marc Johnson" <Marc Johnson@discussions.microsoft.com> wrote in message
>> news:64B9FEBA-BF44-4A3B-99AC-B7811294CD3C@microsoft.com...
>> > Hello:
>> >
>> >     I need to know if there is a way to give admins the rights they 
>> > need
>> > to
>> > the domain/files and folders on DC's and servers without granting them 
>> > GOD
>> > rights?  Is there a best practice out there or has anyone done it.
>> > Basically
>> > we don't want to put any Admin into the Domain Admin Group, instead 
>> > create
>> > a
>> > group that gives them the folder/file, and disk rights they need to do 
>> > the
>> > job of a network administrator.  Is there a case study or anything of 
>> > that
>> > nature that will help us define those rights and privs?  Any help would 
>> > be
>> > appreciated, thanks.
>>
>>
>>

Relevant Pages

  • Re: New IE flaw and exploit sites/migration to non-MS browser
    ... If an application is written for TODAY's Windows XP logo it will run as a non administrator. ... That is the quick and dirty test to see if you have admin rights... ... You have administrator rights to your machine. ... And make sure your folks that are making the purchasing decisions know that this needs to be a requirement...because in this day and age of computer technology there is NO EXCUSE for a vendor to code like we are running Windows 98 around this place. ...
    (Focus-Microsoft)
  • Re: Securing Laptops in an AD environment
    ... Danny is right don't give users Administrator rights, ... Remember if the users have Admin rights, all programs (including virus, ... They would have to have a local account that is in the local admin group ... I would suggest not giving them a local account and not giving them admin ...
    (microsoft.public.windows.server.active_directory)
  • Re: Deleting AD Schema Fields with LDIFDE - Access Denied
    ... The administrator has all possible rights (also "Delete All Child ... And also the Schema updates have been enabled. ... Have you tried this as Enterprise admin and Schema Admin? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Require User Passwords
    ... > administrator functions, ... > How can I assign all the rights to the five users I have. ... usernames/passwords other than annoying them more. ... admin, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Should I still buy SBS 2003 Premium w/ ISA in light of XP SP2s ICF2?
    ... Admin rights is a very simple story. ... relying upon the firewall to block accordingly the access to workstations, ... don't have the same level of packet-filtering in your favor that ISA ...
    (microsoft.public.windows.server.sbs)
Loading