Re: Local admin user rights on remote DC
From: Colin Nash [MVP] (x_at_x)
Date: 10/17/04
- Next message: mjohead2: "KB822343 Error"
- Previous message: Steven L Umbach: "Re: Local admin user rights on remote DC"
- In reply to: Steven L Umbach: "Re: Local admin user rights on remote DC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 17 Oct 2004 05:14:56 -0400
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:udl3tt5sEHA.3564@tk2msftngp13.phx.gbl...
>I missed that part of your requirements. To manually install software on a
>domain controller, they will need to be a domain administrator. There
>simply is no workaround. What may work is if you temporarily add them to
>the domain admins group just to do that function and then remove them. Of
>course you run the risk that they could do other admin functions like
>change policy, permissions, or group memberships in the meantime. You could
>check group membership later for the admin groups to make sure that they
>have not added unauthorized accounts. While the principle of least needed
>privileges is a core part of securing a network, most good employees have
>no desire to do malicious acts to the network if given elevates privileges
>for a short period of time and they may not even realize they have admin
>access. Using Group Policy to deny their user accounts to specific mmc
>snapins they do not need to use may also be helpful if you end up doing
>that to deter the idle curious. Another option is if the software that
>needs to be installed are .msi packages or can be converted to .msi
>packages, you can use Group Policy Software Installation to "assign" those
>packages to the domain controllers. See the link below for more info on
>that. --- Steve
>
> http://www.microsoft.com/windows2000/techinfo/planning/management/swinstall.asp
> -- Group Policy Software installation
>
Terminal Services would be a solution to allow for remote management of the
DCs, by your central admin staff (instead of relying on the local site
admins.) Management of individual DCs is fairly rare. If the local admins
need to install other software on these servers because the DCs are being
used as local file servers, then it might be a better idea to use separate,
dedicated machines for DCs and let the local admins have full access to
their own servers. The hardware requirements for a DC aren't incredibly
high. It's likely that you don't even need an actual "server" machine at
each site. A high-end desktop "PC" running Server 2003 could easily do it.
Depends on your needs and budget etc.
Maybe you are trying to save on hardware costs by putting everything on one
box, but DCs are sort of "special" and you are sacrificing security.
- Next message: mjohead2: "KB822343 Error"
- Previous message: Steven L Umbach: "Re: Local admin user rights on remote DC"
- In reply to: Steven L Umbach: "Re: Local admin user rights on remote DC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
