Deny login on member server

From: George Taylor (gtaylor@rcrh.org)
Date: 02/27/03

Next message: Privacy, please: "Re: How secure is EFS?"
Previous message: Torgeir Bakken (MVP): "Re: Patch Management & Identifying Hosts"
Next in thread: DarrenC [MSFT]: "Re: Deny login on member server"
Reply: DarrenC [MSFT]: "Re: Deny login on member server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "George Taylor" <gtaylor@rcrh.org>
Date: Thu, 27 Feb 2003 14:34:17 -0800

Does any know of a way to limit logins on a member server
in the same way it is limited on DCs, domain admins only?

Thanks,

George

Next message: Privacy, please: "Re: How secure is EFS?"
Previous message: Torgeir Bakken (MVP): "Re: Patch Management & Identifying Hosts"
Next in thread: DarrenC [MSFT]: "Re: Deny login on member server"
Reply: DarrenC [MSFT]: "Re: Deny login on member server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Active Directory Admin privileges
... The solution therefore as to come from MS and the best attempt at it is coming out of Redmond in Longhorn and is called Read Only DCs with delegated administrator. ... Forests, regardless of the number of domains, should have one small set of domain admins who are also enterprise admins who do management of all DCs. ... No one else should have any builtin rights such as account operator or server operator or even local logon onto Domain Controllers. ... Any time an admin in a child domain wanted access to sensitive material back at corp hq they could have gotten that access unless you were using some form of third party encryption that has no dependence on Windows security. ...
(microsoft.public.security)
Re: ActiveDirctory security questions
... Localsystem has more rights over the local machine than any other account. ... Any ONE of those groups (and also even lesser powered groups that have interactive access to DCs) can escalate to any level of permissions in a forest. ... When you say DAs have full control only because they are in #2, I assume you mean control over DCs for non-AD functions? ... You don't let anyone but domain admins log into DCs, you don't let anyone but domain admins manage the file system or services of DCs, etc. ...
(microsoft.public.win2000.active_directory)
Domain Controller Restart Deletes Member Server Comp Account in AD
... I have a small office network that had 3 DCs whenever the dc that ... held all of the FSMO roles was restarted the member server computer ... of my DCs and it is gone. ... Then I transfered all FSMOs to him....but now when I restart this new ...
(microsoft.public.windows.server.active_directory)
Re: ADMT Question - Old domain DCs and member servers
... > either make them a member server or possibly a DC in the new target ... Just DCPromo each of them -- the last one ... Once they are servers (not DCs) you can even move them ... into the target domain, or retire them, etc. ...
(microsoft.public.windows.server.migration)
Re: Server Operators
... the only folks who should have access to DCs are Domain Admins. ... There is no way to protect against say the server ops becoming domain admins or even enterprise admins if they know what they are doing. ...
(microsoft.public.windows.server.active_directory)