How to monitor "domain controllers" without domain admin rights
- From: Matthew <Matthew@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 26 Jan 2009 07:20:01 -0800
I hope someone can help me. I manage a fairly large active directory
environment and I'm trying to lock things down to prevent security breaches,
etc. We use various monitoring utilities to monitor all servers (including
DCs) and I'm finding it very difficult to use any of these programs without
breaking my security.
Almost every one of them need domain administrator rights. Well that's not
true, but let me clarify. I stripped the security of the service accounts we
use and created groups to add these service accounts as local admins on the
various servers.
My problem is now specifically with DCs. I don't want these service
accounts to have full administrative privileges on my DCs or Active
Directory. As such I don't want to add these accounts to the built
in\administrators group as they will get these rights. I have successfully
opened up WMI onto these DCs, but am finding my tools use a variety of ways
to run their monitors and they are not all via WMI. For example, some of
these tools check disk space by hitting the root admin share of each drive
(i.e. c$). I can't change permissions on this.
What do I do? Is there a way to give these accounts the rights I need, but
prevent them from actually logging on locally to the DC and prevent them from
making changes in AD?
Do I just bite the bullet here and just make it a domain admin account with
super crazy pw?
TIA!
MCDONAMW
.
- Prev by Date: Re: Security
- Next by Date: EFS Recovery Test
- Previous by thread: Re: R4 ds ayuda
- Next by thread: EFS Recovery Test
- Index(es):
Relevant Pages
|
