Re: SQL Domain Group Permissions

---

• From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 25 Sep 2007 20:33:26 -0500

---

"hsmlives" <hsmlives@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2C9B3582-5162-4850-8E5E-1E3E110C3660@xxxxxxxxxxxxxxxx

We have a new dba that is requesting domain admin access to perform tasks
like checking account operator roles and settings on computer accounts.
This
is a new request to me, but I definately don't won't to just hand over
domain
admin access. Are there any specific high level sql admin access levels I
can give him to test out functionality? Is anyone currently doing this?
Any
suggestions will be much appreciated.

The people know that are serious about security would never do this. I know
some that claim to manage domains with several hundred thousand users and
have maybe 2 or 3 members of Domain Admins.

Most settings can be retrieved by any authenticated user. Some computer
information retrieved using WMI might require administrator privileges on
the local PC. By default, the group "Domain Admins" is added to the local
Administrators group with the computer is joined to the domain. This allows
members of Domain Admins to retrieve more information on the computers.
However, you can grant someone the same privileges on computers by adding
some other domain group to the local Administrators group on all computers.
Make the dba a member of dba_Admin group, then make this group a member of
Administrators on all PC's, using Restricted Groups in Group Policy.

This still allows members of the new domain group to do great damage on
PC's, including spreading viruses, installing software, changing settings,
etc. There might be a better way to grant the dba the permissions they need.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.

---

• Prev by Date: Re: Impossible to use a view of a table from another database
• Next by Date: I cannot view any stored procedure inside of Visual Studio 2003 that was created in SQL Server 2005
• Previous by thread: Re: Impossible to use a view of a table from another database
• Next by thread: I cannot view any stored procedure inside of Visual Studio 2003 that was created in SQL Server 2005
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: how can I stop user deleting important files ... SBS Rocks! ... > you sure they aren't members of their PC's Administrators group. ... > and select Edit), Computer Settings, Windows Settings, Security Settings, ... (microsoft.public.windows.server.sbs) Re: Manage remote workstations ... You would add the administrators group to the list, ... It will remove all the members and force the contents of the GPO to ... who are not members of Domain Admins but are ... >>> remote workstations. ... (microsoft.public.win2000.active_directory) Re: How can I list the users in all Administrator groups in Domain ... Start by dumping the members of ... the administrators group and then dump any groups that are found such as ... domain admins. ... (microsoft.public.win2000.security) Re: Domain Admin Access across Trusted domains ... > users to a Domain Local security group, I can't add that Domain Local ... Much, not all, can be conferred my making members of the ... same as making them members of Domain Admins. ... >>> The trust is a two way external trust. ... (microsoft.public.win2000.security) Do Not Execute Group Policy for Admins Group ... so that the group policy will only apply to a certain group of users ... domain admins that logon to a computer in that OU). ... In this case the GPO would not ... it's intent is to change the user settings ... (microsoft.public.win2000.group_policy)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2007-09