Re: SQL Domain Group Permissions




"hsmlives" <hsmlives@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2C9B3582-5162-4850-8E5E-1E3E110C3660@xxxxxxxxxxxxxxxx
We have a new dba that is requesting domain admin access to perform tasks
like checking account operator roles and settings on computer accounts.
This
is a new request to me, but I definately don't won't to just hand over
domain
admin access. Are there any specific high level sql admin access levels I
can give him to test out functionality? Is anyone currently doing this?
Any
suggestions will be much appreciated.

The people know that are serious about security would never do this. I know
some that claim to manage domains with several hundred thousand users and
have maybe 2 or 3 members of Domain Admins.

Most settings can be retrieved by any authenticated user. Some computer
information retrieved using WMI might require administrator privileges on
the local PC. By default, the group "Domain Admins" is added to the local
Administrators group with the computer is joined to the domain. This allows
members of Domain Admins to retrieve more information on the computers.
However, you can grant someone the same privileges on computers by adding
some other domain group to the local Administrators group on all computers.
Make the dba a member of dba_Admin group, then make this group a member of
Administrators on all PC's, using Restricted Groups in Group Policy.

This still allows members of the new domain group to do great damage on
PC's, including spreading viruses, installing software, changing settings,
etc. There might be a better way to grant the dba the permissions they need.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.



Relevant Pages

  • Re: how can I stop user deleting important files
    ... SBS Rocks! ... > you sure they aren't members of their PC's Administrators group. ... > and select Edit), Computer Settings, Windows Settings, Security Settings, ...
    (microsoft.public.windows.server.sbs)
  • Re: Inheritance of permissions on a user account keeps changing
    ... Meinolf is right. ... If they are members of the Administrators group (or domain admins, enterprise admins, etc) then it's a normal behavior. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Manage remote workstations
    ... You would add the administrators group to the list, ... It will remove all the members and force the contents of the GPO to ... who are not members of Domain Admins but are ... >>> remote workstations. ...
    (microsoft.public.win2000.active_directory)
  • Re: How can I list the users in all Administrator groups in Domain
    ... Start by dumping the members of ... the administrators group and then dump any groups that are found such as ... domain admins. ...
    (microsoft.public.win2000.security)
  • Re: Delegating people as Administrators of a DC
    ... Members of the domain local Administrators group have the same level of ... privileges as far as Active Directory is concerned as Domain Admins. ... Administrator role separation capability has been introduced in Windows ... to domain controllers to only those members of IT staff that you can trust ...
    (microsoft.public.windows.server.active_directory)