Re: logon to DC without Admin rights

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/13/05 

Date: Fri, 13 May 2005 00:17:05 -0500

The problem with allowing them to logon in AD Restore is that would give
them the ability to add themselves to the domain admins group per the link
below and logon to Recovery console.

http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm

If you enable Software Update Services on your network, Windows Updates and
Service Packs can be installed AND approved automatically or any .msi
package can be published/assigned to users or assigned to computers which
will allow installation without administrator intervention. --- Steve

"Spence" <Spence@discussions.microsoft.com> wrote in message
news:8EF7A810-1EC1-40FB-88D6-C2A5F343331F@microsoft.com...
>I have a service provider that will be handeling software updates and
>service
> pack installation. I have a secured root forest and would like to provide
> security to the forest, hence I dont want to give these guys access to
> dsa,dssite,and dnsmgmt.msc's. Is there a group or way to configure my
> dc's
> to allow this userid to logon just for updates to server? I know this
> functionality is not normal as most Admins trust the service provider that
> is
> taking care of the day to day. However I really don't want to give them
> access to these functions.
>
> Side note:
> I know about the default domain controller policy where you can add the
> user
> to logon locally, but this doesn't give them enough access, to do what
> they
> need to do.
>
> One thought was to give them a local account on/in directory restore mode,
> this would allow them to logon to the local server without the AD and have
> admin rights to the local (per say) server. I was just uncertain if I
> could
> update all necessary drivers and or service packs in this environment. (
> as
> it is basically safe mode with limited functionality ( no network support
> for
> example )
>
>
> Thanks in advance.

Relevant Pages

  • Re: Remote Client Configuration
    ... > Thanks for quickly updates. ... > group policy will not be updates, instead it will use the old policy that ... > will be applied after the user logon in order to reduce the logon process. ... > laptop to connect to SBS domain first; currently we have no other better ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows XP machine unable to log onto a Windows 2003 domain; used to have no problem
    ... netdiag shows Kerberos and trust failures. ... No user, including admins, can logon ... including domain admins and enterprise admins. ... >> The security logs on the DCs and the machine in question show no errors. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: LDAP query failing
    ... for logon is and then modify your search to look for that if it ... > Any suggestions for options other than sAMAccountName to allow users to ... >> you need to speak to your AD admins and find a good search base ... >> to be using in your LDAP URL; you need to find where the user accounts ...
    (microsoft.public.windows.server.active_directory)
  • Re: RDP/TS GPO Settings - Users unable to logon
    ... Most likely the helpdesk guys are logging on to a domain controller. ... Logging in to a domain controller is restricted to Admins and Backup ... Others will be denied because they are not allowed to logon locally ...
    (microsoft.public.windows.server.active_directory)
  • Windows XP (Home) Logon Problem
    ... Last night after I shut down the machine, I tried to re-boot back ... The result was a Logon Message which said "The system cannot log you on due ... I'm not sure if this is related but I had recently installed SP2 from a ... I went ahead and downloaded/installed the 4 critical updates. ...
    (microsoft.public.windowsxp.general)