Re: Administer DC at remote site without domain admin rights
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/27/04
- Next message: John Gerone: "Re: Group Policy Editor crashes when trying to define numbers > 999"
- Previous message: bitwrangler: "Administer DC at remote site without domain admin rights"
- In reply to: bitwrangler: "Administer DC at remote site without domain admin rights"
- Next in thread: John Gerone: "Re: Administer DC at remote site without domain admin rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Oct 2004 17:47:04 -0500
Depending on what you want the user to be able to do you have some options.
You can delegate authority in Active Directory over an OU or such if you
want the user to create/manage users, groups, and computer accounts. For
managing the server you can add the user to privileged accounts such as
server operator, print operator, network configuration operators, and backup
operators. There are also a lot of user rights that you can add the user to
that will allow him to do some tasks such as load and unload device drivers
and manage auditing and security log. The link below explains the user
rights on Windows 2003. Note that for domain controllers user rights are
defined in Domain Controller Security Policy. To prevent a user from having
user rights on all domain controllers, you would have to create an OU within
the domain controller container to move that dc into and then create a GPO
for it to configure the needed user rights. All other Domain Controller
Security Policy will be inherited by that OU except what you define in the
GPO for it. Services can also be configured so that additional users can
start and stop a service. This can be done via Group Policy, through
Security Configuration and Analysis mmc snapin tool, or with subinacl as
described in the second link below. I would not recommend using Group Policy
unless the GPO applies to only that domain controller.
http://www.microsoft.com/technet/Security/prodtech/win2003/w2003hg/sgch03.mspx#E0EB0AA
http://support.microsoft.com/?kbid=288129
Installing updates and applications could be a problem however if you need
the user to do such. Updates can be installed automatically if the update
client is configured to install by schedule, however you may not want to do
that on a domain controller unless you are using Software Update Services
which gives you the ability to approve updates before they are installed.
Applications that use an .msi extension can be installed by assignation via
Group Policy without any user intervention. For those situations when this
user can not do tasks, you could remote into the domain controller via
Remote Desktop to perform the tasks. Ipsec filtering policy using filters
and permit/block filter actions could be used to allow inbound connections
from ony the IP addresses of authorized computers to minimizing the risk of
enabling Remote Desktop. --- Steve
"bitwrangler" <newsgroups@hartmanhomes.com> wrote in message
news:fqhtn0p8mh7t2gg1m78bo6rkhfcqbov3rt@4ax.com...
>I have a server at a remote site that is a domain controller (W2k3
> standard). I would like to give a user the ability to be an admin on
> the local box without being a domain admin. Being that there is no
> local logon now that it's a DC, I think I may be out of luck but
> wondered if anyone had a suggestion?
>
> Greg
- Next message: John Gerone: "Re: Group Policy Editor crashes when trying to define numbers > 999"
- Previous message: bitwrangler: "Administer DC at remote site without domain admin rights"
- In reply to: bitwrangler: "Administer DC at remote site without domain admin rights"
- Next in thread: John Gerone: "Re: Administer DC at remote site without domain admin rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
