Re: Non domain admins installing software on domain controllers

From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 01/18/03 

From: "Joe Richards [MVP]" <humorexpress@hotmail.com>
Date: Sat, 18 Jan 2003 11:38:07 -0500

I don't recommend giving non-domain admins local logon rights to a DC at
all. In fact in our company we have some 350 Domain Controllers spread
around the world and the only people with any access rights on the DC's are
the 3 Domain Admins. If we need something done to a DC that can NOT be done
via TS or other scripting tools, we demote the server, let the local site
admins modify the box, then we audit the box and if it is ok, we repromote
it. 

--
Joe Richards
www.joeware.net
---
"Jason Kane" <Jason.Kane-at-btopenworld.com> wrote in message
news:lo3g2vs9qn7reie29d5purl6ou89mtntct@4ax.com...
> If anyone can offer any advice to an issue we have I would be most
> gratefull.
>
> We are mid way through a Windows 2000 deployment.  We have a  number
> of domain controllers and member servers distributed through out
> Europe and the Middle East.  Security wise we delegate control of AD
> object for administrators within each country and for member server we
> add them to the local administrators group, AD wise we also add them
> into the server operators group.
>
> The problem we have is with regards to software/patch installaton on
> domain controllers in that they cannot perform the action because they
> are not administrators over domain controllers (as they are not domain
> administrators). It is fine on member servers as they are members of
> the local admin group (DC's dont have such a concept). For obvious
> reasons we do not want to add them to the domain admins group, however
> we do want them to be able to install their own software and obviously
> install patches as and when they become available.  We have already
> given privileges for MSI packages, however as most software (including
> hotfixes) does not use the MSI format they cannot install them.
>
> Has anybody else come across this issue, or know of any resolutions?
>
> Many thanks, Jason

Relevant Pages

  • Re: Non domain admins installing software on domain controllers
    ... > of domain controllers and member servers distributed through out ... > object for administrators within each country and for member server we ... > domain controllers in that they cannot perform the action because they ... > install patches as and when they become available. ...
    (microsoft.public.win2000.security)
  • Re: dns administration delegation
    ... domain controllers are in site B ... I want admins from site A to be able to manage only the DNS servers at ... and have always done it with a GPO to delegate control of the service. ... I am not even sure that permissions you are actually delegating there -- ...
    (microsoft.public.windows.server.dns)
  • RE: Must be a member of domain admins...
    ... If you have multiple domain controllers, ... on the network are assigned as a Global Catalog server. ... Remove and re-add Domain Admins, Schema Admins, and Enterprise Admins to ... and Enterprise Admins group from the built-in Adminstrator account. ...
    (microsoft.public.windows.server.sbs)
  • Re: Local admin user rights on remote DC
    ... admins group just to do that function and then remove them. ... Group Policy to deny their user accounts to specific mmc snapins they do not ... Software Installation to "assign" those packages to the domain controllers. ... > not install any software specific for the site (like antivirus, ...
    (microsoft.public.windows.server.security)
  • Re: Domain Controller Administration
    ... uninstall or update applications without ... >> many domain administrators because application support ... >> people as local admins on member servers but now I need ... >> to do something on the domain controllers. ...
    (microsoft.public.win2000.security)