Re: Local admin user rights on remote DC
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/13/04
- Next message: mjohead2: "FTP Download Access"
- Previous message: Willk: "Re: Local admin user rights on remote DC"
- In reply to: lvm: "Local admin user rights on remote DC"
- Next in thread: lvm: "Re: Local admin user rights on remote DC"
- Reply: lvm: "Re: Local admin user rights on remote DC"
- Reply: Colin Nash [MVP]: "Re: Local admin user rights on remote DC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Oct 2004 12:24:33 -0500
Unfortunate there is no power user local equivalent on domain controllers.
Your options are delegation, privileged group membership [server operators,
etc], or user rights assignments. What may work is if you create a sub
Organizational Unit for each site in the domain controller container. Then
create a global group for each site that includes your site administrators.
Then create a GPO for each sub OU and configure the user rights for deny
logon locally, deny access this computer from the network, and deny logon
through Remote Desktop [if available] to include the global groups from the
other sites for the site administrators. Then move the domain controllers
into the sub OU for each site. You would not have to configure any other
settings for the GPO's for the sites and they will still inherit the Domain
Security Policy settings except for what you define in each sub OU. Do NOT
remove domain controllers out from the domain controller container
structure, but sub Organizational Units of the domain controller container
should work fine. If you are interested, try testing with one site first to
see if users in the server operators, etc groups from another site are
prevented from managing restricted domain controllers through Computer
Management, Remote Dektop, command line, etc. --- Steve
"lvm" <lvm@erudict.com> wrote in message
news:bf012c14.0410130559.2d22f6dc@posting.google.com...
> Hello,
>
> We have setup a multi site AD 2003. Now we need to implement security
> as such that all major administrative tasks are done from a central
> location (HQ), this works fine. The second part of the security
> implementation consists of granting local admins certain priviliges on
> the local installed servers. As most sites have a fairly small number
> of users (20 to 100) only 1 server is installed on the remote site.
> This server combines the functions of DC, DNS, DHCP, WINS, Echange,
> file and printserver. We want to grant the local admins the right to
> manage all the resources on site like users, printers and so on. For
> items in the AD we have delegated controll on the OU which is created
> to home all local resources and this works fine. The problem is with
> regards the ability to install/update the antivirus, backup and site
> specific software wich needs to get installed on the local server
> (which is a DC). Also we want them to be able to add printers with the
> drivers, create and mange the shares on the server and perform backup
> and restore. Putting the local admins in predefined groups(account
> operators, server operators, printer operators, backup operators) does
> not works as they then can do the actions on all DC even those which
> are not within their site.
> Adding the local admins to the administrators group is not an option
> as we do not want a local admin to be able to do those things on a
> server which is not located in his site.
> In fact what we need is a "Power users" privilege which is bound to
> the local server (DC)
>
> All suggestions are welcom.
>
> Thanks in advance
>
> Luc
- Next message: mjohead2: "FTP Download Access"
- Previous message: Willk: "Re: Local admin user rights on remote DC"
- In reply to: lvm: "Local admin user rights on remote DC"
- Next in thread: lvm: "Re: Local admin user rights on remote DC"
- Reply: lvm: "Re: Local admin user rights on remote DC"
- Reply: Colin Nash [MVP]: "Re: Local admin user rights on remote DC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
