Re: Domain Controller Security

Sure, or even just Adminsitrators fits the posters request.

Joe however is correct in providing the precautionary warning, as
either Server Operators or Administrators could without too much
effort elevate themselves to Domain Admins (or Enterprise Admins
if on the forestroot domain).

As such some feel it is better to not pretend that one has gained
something solid by not making use of Domain Admins membership
to begin with (so that all due precautions are attended to).

"Ondrej Sevecek" <ondra at my_surname dot com> wrote in message
news:uaYjjjDHGHA.3752@xxxxxxxxxxxxxxxxxxxxxxx
> Sever Operators.
>
>
> O.
>
>
>
> "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
> news:uLCJI8KGGHA.1396@xxxxxxxxxxxxxxxxxxxxxxx
>> You can't do it. They have to have admin rights to the DC and once they
>> have that they have more than enough rights to escalate all the way to
>> enterprise admin or anything else they want.
>>
>> The way this was handled in a fortune 5 company I managed 400 global DCs
>> for (with 3 admins and a manager) was to demote DCs when hardware work
>> needed to be done. If that couldn't occur, the DC was cut out of the
>> forest and reloaded and the admin did the work and then it was
>> repromoted.
>>
>> With Longhorn AD this will be a little easier to handle in WAN Site
>> situations.
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> www.joeware.net
>>
>>
>> corydch@xxxxxxxxxxx wrote:
>>> I'm running Windows Server 2003 in Active Directory environment. I am
>>> trying to trim my domain administrators but having trouble because I
>>> have people who administer the hardware for a domain controller who I
>>> want to remove from the group. Anyone know of a way to give non-domain
>>> adminis access to device manager for hardware purposes without making
>>> them full domain administrators? Any suggestions would be appreciated.
>>>
>>> Cory
>>>
>
>


.

Relevant Pages

  • RE: Installing Software and Permissions
    ... I even rebooted the TS Server. ... member of Domain Admins... ... the software would refuse to install for user1 ... Server - Administrators 6) All in all the Local Administrators ...
    (microsoft.public.windows.terminal_services)
  • RE: Installing Software and Permissions
    ... MCSE, CCEA, Microsoft MVP - Terminal Server ... member of Domain Admins... ... until user1 was added directly to the TS Servers Local Admins ... Server - Administrators 6) All in all the Local Administrators ...
    (microsoft.public.windows.terminal_services)
  • Re: Domain Administrator privs on Client
    ... It is fairly normal to restrict admin access to SQL Server to only ... Domain Admins is added to a machine's Administrators ... I have an SQL server on my domain, I have to login as the local sql ...
    (microsoft.public.windows.group_policy)
  • Re: Local Logon To Domain Controller
    ... That dose this administrators out to PCs have to do? ... PC Admins or what ever you want. ... >>> Server machine itself. ... >>logon locally on DCs. ...
    (microsoft.public.win2000.active_directory)
  • Re: Fedora Desktop future- RedHat moves
    ... in marketing and they still manage only 30% of the server market. ... I don't as yet know what Ubuntu's niche is - windows malcontents? ... servers due to the desktop support as well as gui management tools. ... Part of the issue in the past has been many admins that new Unix found ...
    (Fedora)