Re: Administrative rights on specified domain controller
If you need actual admin rights you can't. An admin on one DC is an
admin on all DCs. Plus an admin account can trivially escalate
themselves to domain and enterpise admin level rights.
There are some things you can delegate, say like stopping and starting
services but doing any of that can be very dangerous with DCs because
there are various mechanisms that people can use to escalate their
rights or otherwise cause DCs to malfunction. It is generally a bad idea
to give anyone rights to a DC that aren't the buck stops here people for
making sure the DCs work properly. I.E. If someone isn't responsible for
the end state running of the machine and the forest as a whole, don't
give them rights.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Ilya wrote:
Hi
I have domain with many DC, i want to grant some user administrative rights
only on specified DC, not for entire domain. I have read KB240267
("Administrators cannot be restricted in Windows 2000" -
http://support.microsoft.com/kb/240267). It's impossible for Win200, and what
about Win2003?
Thanks
.
Relevant Pages
- Re: DC Admin question
... Not just from the obvious security issues of allowing someone to install a kernel level component but just from the fact that printers can be quite unstable resources, I would be very careful what printers get put on DCs, actually I would prefer no printers on DCs nor even queues, today's corporate printers don't need them, they can do most all of that internal. ... Sure there is for people, but likely the person you aren't giving the enhanced rights to is for some, likely good, reason. ... solutions to the unacceptible obvious one of giving admin. ...
(microsoft.public.windows.server.security) - Re: DC Admin question
... If someone needed to manage file shares, I would say, there are these X ... I would prefer no printers on DCs nor even queues, ... enhanced rights to is for some, likely good, reason. ... solutions to the unacceptible obvious one of giving admin. ...
(microsoft.public.windows.server.security) - Re: DC Admin question
... Sure there is for people, but likely the person you aren't giving the enhanced rights to is for some, likely good, reason. ... Maybe that person isn't evil intending but just a little sloppy and maybe runs something that is evil intending and/or far more informed about how Windows works than the person running the app. ... The RODC will protect the forest in that you can assign admin rights to a single DC and theoretically, for now, there is no way to do anything on that one DC to escalate yourself further into the forest. ... Now admins will have the option of putting themselves at risk with how they manage the secret caching policy like for instance if they say, yeah, cache admin passwords on DCs, then someone who is made an admin of that DC will be able to retrieve the hash and go from there. ...
(microsoft.public.windows.server.security) - Re: DC Admin question
... are evil and if they are not". ... solutions to the unacceptible obvious one of giving admin. ... acceptable to me as a risk than giving someone local logon rights. ... it is to protect AD but that is the primary issue with the DCs ...
(microsoft.public.windows.server.security) - Re: Should I still buy SBS 2003 Premium w/ ISA in light of XP SP2s ICF2?
... Admin rights is a very simple story. ... relying upon the firewall to block accordingly the access to workstations, ... don't have the same level of packet-filtering in your favor that ISA ...
(microsoft.public.windows.server.sbs) |
|
