Re: SQL Domain Group Permissions




"hsmlives" <hsmlives@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2C9B3582-5162-4850-8E5E-1E3E110C3660@xxxxxxxxxxxxxxxx
We have a new dba that is requesting domain admin access to perform tasks
like checking account operator roles and settings on computer accounts.
This
is a new request to me, but I definately don't won't to just hand over
domain
admin access. Are there any specific high level sql admin access levels I
can give him to test out functionality? Is anyone currently doing this?
Any
suggestions will be much appreciated.

The people know that are serious about security would never do this. I know
some that claim to manage domains with several hundred thousand users and
have maybe 2 or 3 members of Domain Admins.

Most settings can be retrieved by any authenticated user. Some computer
information retrieved using WMI might require administrator privileges on
the local PC. By default, the group "Domain Admins" is added to the local
Administrators group with the computer is joined to the domain. This allows
members of Domain Admins to retrieve more information on the computers.
However, you can grant someone the same privileges on computers by adding
some other domain group to the local Administrators group on all computers.
Make the dba a member of dba_Admin group, then make this group a member of
Administrators on all PC's, using Restricted Groups in Group Policy.

This still allows members of the new domain group to do great damage on
PC's, including spreading viruses, installing software, changing settings,
etc. There might be a better way to grant the dba the permissions they need.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.