Re: Need help locking down a server



Hi Miha

While I agree with you, notice that you could go further.
Instead of
Only IT staff that needs to administer domain controllers (physically)
needs to be member of Domain Administrators group.
one can state
Only IT staff that needs to administer domain controllers (physically) need
to be member of the domain's Adminsitrators group, and only members of
the Domain Administrators group if they manage AD (or require broad,
default admin access on members for such as for scanning).

Sorry, it is a small pet peeve of mine seeing how the scope of power
of the domain's Administrators group is overlooked.
Roger
"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:OIYwW%237HHHA.1064@xxxxxxxxxxxxxxxxxxxxxxx
Hi Chris,

Only IT staff that needs to administer domain controllers (physically)
needs to be member of Domain Administrators group. For everyone else it is
enough to be Administrator on the systems that they need to manage (e.g.
Exchange server). You can even limit this and delegate some other tasks
(e.g. Backup Administrators,...).

If your question is how to limit Domain Administrators from logging onto
Exchange server -- you can't. You simply can't limit someone who is Domain
Administrator. Even if you deny someone logon locally permissions, if the
person is Domain Administrator -- he/she can change that policy at any
time and allow themselves to logon to any server...

--
Mike
Microsoft MVP - Windows Security

"Chris Hall" <someone@xxxxxxxxxxxxx> wrote in message
news:e7gSEe5HHHA.3952@xxxxxxxxxxxxxxxxxxxxxxx
Greetings,

I'm looking into options to secure our mail server (Exchange 2003 on
Windows
2003). We have an IT staff of 5 people, which includes our dept mgr, all
of
which have access to the administrator password and whose accounts are
members of the Domain Admins group. What I propose to do is:

1. Change Admin password, allowing only one person access.
2. Disable Remote Desktop
3. Deny Logon Locally.

The only thing I can't seem to figure out is how to deny all users except
administrator.

If anyone has any suggestions, I'd appreciate it!






.



Relevant Pages

  • Re: Need help locking down a server
    ... to be member of Domain Administrators group. ... to be Administrator on the systems that they need to manage (e.g. Exchange ... If your question is how to limit Domain Administrators from logging onto ...
    (microsoft.public.win2000.security)
  • Re: Administrator cant change security
    ... administrators group on the domain member can configure permissions on any ... computers can not reliably contact a domain controller. ... I'm signing on as Administrator on a second Windows 2003 server that is ...
    (microsoft.public.windows.server.security)
  • Re: Security groups being removed
    ... be the expected behavior because of the AdminSDHolder thread on the DC ... This object is used to control the permissions of user accounts that are ... members of the built-in Administrators or Domain Administrators groups. ... a user account is a member of one of these administrative groups because ...
    (microsoft.public.windows.server.sbs)
  • RE: Permissions
    ... administrative permissions in each domain (Domainb.local ... Create a local group on the member server in the ... >Symptom 1 often occurs when the domain administrators ...
    (microsoft.public.win2000.security)
  • Re: True difference between Domain Admin grp and Administrators Group
    ... is a member of the domain "administrator" group by default. ... The domain admin group not only has local administrator ... group is automatically added to the local "administrators" group. ... Members of this group have full control of the domain. ...
    (microsoft.public.windows.server.general)