Re: logon to DC without Admin rights
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/13/05
- Previous message: pwalessi1_at_gmail.com: "CryptProtectData output to a file"
- In reply to: Spence: "Re: logon to DC without Admin rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 13 May 2005 12:05:02 -0500
I have never heard of or read of anyone taking that approach and can not
recommend it myself. I can't think of another solution other than make sure
these people are trustworthy and competent and you can enable auditing on
the domain controllers for things like account management and policy change
to try and track that they are not doing things that they are not supposed
to. --- Steve
"Spence" <Spence@discussions.microsoft.com> wrote in message
news:5EF5857E-1736-49DB-BD49-2EC79E48B7E4@microsoft.com...
> Thanks for the feedback but I know just as a rule, if you have physical
> access to the server anything is possible. However I still need to enable
> this sort of function on the DC's. I also am aware of the SUS at the
> local
> level and domain level, unfortunately my organization will not allow this
> type of service on the servers. Workstations different story but the
> servers
> they want to have as much controller as possible over the root. I have
> seen
> the trick that you referenced from petri's website pretty slick I must say
> but none the less I still have the same problem to deal with. So what are
> your thoughts about the directory restore mode option, do you think that
> this
> would be acceptable for software updates/patches?
> Thanks once again for the feedback.
>
>
> "Steven L Umbach" wrote:
>
>> The problem with allowing them to logon in AD Restore is that would give
>> them the ability to add themselves to the domain admins group per the
>> link
>> below and logon to Recovery console.
>>
>> http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm
>>
>> If you enable Software Update Services on your network, Windows Updates
>> and
>> Service Packs can be installed AND approved automatically or any .msi
>> package can be published/assigned to users or assigned to computers which
>> will allow installation without administrator intervention. --- Steve
>>
>>
>> "Spence" <Spence@discussions.microsoft.com> wrote in message
>> news:8EF7A810-1EC1-40FB-88D6-C2A5F343331F@microsoft.com...
>> >I have a service provider that will be handeling software updates and
>> >service
>> > pack installation. I have a secured root forest and would like to
>> > provide
>> > security to the forest, hence I dont want to give these guys access to
>> > dsa,dssite,and dnsmgmt.msc's. Is there a group or way to configure my
>> > dc's
>> > to allow this userid to logon just for updates to server? I know this
>> > functionality is not normal as most Admins trust the service provider
>> > that
>> > is
>> > taking care of the day to day. However I really don't want to give
>> > them
>> > access to these functions.
>> >
>> > Side note:
>> > I know about the default domain controller policy where you can add the
>> > user
>> > to logon locally, but this doesn't give them enough access, to do what
>> > they
>> > need to do.
>> >
>> > One thought was to give them a local account on/in directory restore
>> > mode,
>> > this would allow them to logon to the local server without the AD and
>> > have
>> > admin rights to the local (per say) server. I was just uncertain if I
>> > could
>> > update all necessary drivers and or service packs in this environment.
>> > (
>> > as
>> > it is basically safe mode with limited functionality ( no network
>> > support
>> > for
>> > example )
>> >
>> >
>> > Thanks in advance.
>>
>>
>>
- Previous message: pwalessi1_at_gmail.com: "CryptProtectData output to a file"
- In reply to: Spence: "Re: logon to DC without Admin rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
