Re: Non domain admins installing software on domain controllers

From: Selcuk Demiray (sdemiraynospam@veezy.com)
Date: 01/17/03 

From: "Selcuk Demiray" <sdemiraynospam@veezy.com>
Date: Fri, 17 Jan 2003 23:01:58 +0200

 Perhaps add them to Builtin Power Users Group ?

"Jason Kane" <Jason.Kane-at-btopenworld.com> wrote in message
news:lo3g2vs9qn7reie29d5purl6ou89mtntct@4ax.com...
> If anyone can offer any advice to an issue we have I would be most
> gratefull.
>
> We are mid way through a Windows 2000 deployment. We have a number
> of domain controllers and member servers distributed through out
> Europe and the Middle East. Security wise we delegate control of AD
> object for administrators within each country and for member server we
> add them to the local administrators group, AD wise we also add them
> into the server operators group.
>
> The problem we have is with regards to software/patch installaton on
> domain controllers in that they cannot perform the action because they
> are not administrators over domain controllers (as they are not domain
> administrators). It is fine on member servers as they are members of
> the local admin group (DC's dont have such a concept). For obvious
> reasons we do not want to add them to the domain admins group, however
> we do want them to be able to install their own software and obviously
> install patches as and when they become available. We have already
> given privileges for MSI packages, however as most software (including
> hotfixes) does not use the MSI format they cannot install them.
>
> Has anybody else come across this issue, or know of any resolutions?
>
> Many thanks, Jason

Relevant Pages

  • Non domain admins installing software on domain controllers
    ... object for administrators within each country and for member server we ... domain controllers in that they cannot perform the action because they ... the local admin group. ... install patches as and when they become available. ...
    (microsoft.public.win2000.security)
  • Re: Domain users = local administrator
    ... One common solution is to deliver the software with ... > administrators by using the KB320065. ... > install applications on their local computer without having any problem ...
    (microsoft.public.win2000.security)
  • Re: Admin Privs without being in the administrator group
    ... If someone can install a driver, ... to modify domain controllers. ... IOW if you let me>>add to your kernel on a DC (i.e. install drivers) then I can find things>>to install that let me have any credentials I want anywhere in forest. ... I>>>think the easiest and clearest option is to add this user to the>>>administrators group. ...
    (microsoft.public.windows.server.security)
  • Re: Non domain admins installing software on domain controllers
    ... I don't recommend giving non-domain admins local logon rights to a DC at ... In fact in our company we have some 350 Domain Controllers spread ... > of domain controllers and member servers distributed through out ... > install patches as and when they become available. ...
    (microsoft.public.win2000.security)
  • Re: Exchange 2000 containers (Fields) not showing up in active directory!!
    ... using a domain admin account outside of a secure server room/datacentre. ... Install it on your workstations, ... > be managing users directly from domain controllers, ... >> On all of your Domain Controllers you need to drop in the Exchange 2000 ...
    (microsoft.public.win2000.active_directory)