Re: Need help locking down a server
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 14 Dec 2006 15:13:52 -0700
While I agree with you, notice that you could go further.
Only IT staff that needs to administer domain controllers (physically)one can state
needs to be member of Domain Administrators group.
Only IT staff that needs to administer domain controllers (physically) need
to be member of the domain's Adminsitrators group, and only members of
the Domain Administrators group if they manage AD (or require broad,
default admin access on members for such as for scanning).
Sorry, it is a small pet peeve of mine seeing how the scope of power
of the domain's Administrators group is overlooked.
"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
Only IT staff that needs to administer domain controllers (physically)
needs to be member of Domain Administrators group. For everyone else it is
enough to be Administrator on the systems that they need to manage (e.g.
Exchange server). You can even limit this and delegate some other tasks
(e.g. Backup Administrators,...).
If your question is how to limit Domain Administrators from logging onto
Exchange server -- you can't. You simply can't limit someone who is Domain
Administrator. Even if you deny someone logon locally permissions, if the
person is Domain Administrator -- he/she can change that policy at any
time and allow themselves to logon to any server...
Microsoft MVP - Windows Security
"Chris Hall" <someone@xxxxxxxxxxxxx> wrote in message
I'm looking into options to secure our mail server (Exchange 2003 on
2003). We have an IT staff of 5 people, which includes our dept mgr, all
which have access to the administrator password and whose accounts are
members of the Domain Admins group. What I propose to do is:
1. Change Admin password, allowing only one person access.
2. Disable Remote Desktop
3. Deny Logon Locally.
The only thing I can't seem to figure out is how to deny all users except
If anyone has any suggestions, I'd appreciate it!
- Prev by Date: Re: password login to windows 2000 domain with active directory
- Next by Date: Re: password login to windows 2000 domain with active directory
- Previous by thread: Re: Need help locking down a server
- Next by thread: Re: Need help locking down a server