Re: Domain Controller Security

Actually put me as a servop in a child domain and I will make myself enterprise admin in not to long a period of time.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

        http://www.joeware.net/win/ad3e.htm



Roger Abell [MVP] wrote: 
Sure, or even just Adminsitrators fits the posters request.

Joe however is correct in providing the precautionary warning, as
either Server Operators or Administrators could without too much
effort elevate themselves to Domain Admins (or Enterprise Admins
if on the forestroot domain).

As such some feel it is better to not pretend that one has gained
something solid by not making use of Domain Admins membership
to begin with (so that all due precautions are attended to).

"Ondrej Sevecek" <ondra at my_surname dot com> wrote in message news:uaYjjjDHGHA.3752@xxxxxxxxxxxxxxxxxxxxxxx 
Sever Operators.


O.



"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message news:uLCJI8KGGHA.1396@xxxxxxxxxxxxxxxxxxxxxxx
You can't do it. They have to have admin rights to the DC and once they have that they have more than enough rights to escalate all the way to enterprise admin or anything else they want.

The way this was handled in a fortune 5 company I managed 400 global DCs for (with 3 admins and a manager) was to demote DCs when hardware work needed to be done. If that couldn't occur, the DC was cut out of the forest and reloaded and the admin did the work and then it was repromoted.

With Longhorn AD this will be a little easier to handle in WAN Site situations.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


corydch@xxxxxxxxxxx wrote: 
I'm running Windows Server 2003 in Active Directory environment. I am
trying to trim my domain administrators but having trouble because I
have people who administer the hardware for a domain controller who I
want to remove from the group. Anyone know of a way to give non-domain
adminis access to device manager for hardware purposes without making
them full domain administrators? Any suggestions would be appreciated.

Cory




.

Relevant Pages

  • RE: Automating Local Computer Admin Rights
    ... groups the first box that pops up add administrators. ... add domain admins because they are there by deafult and add adminstrators. ... gpo settings will not tricly down or inherit the settings just from a child ... members of the administrators group on the local machine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Administrator privs on Client
    ... It is fairly normal to restrict admin access to SQL Server to only ... Domain Admins is added to a machine's Administrators ... I have an SQL server on my domain, I have to login as the local sql ...
    (microsoft.public.windows.group_policy)
  • Re: Weird security problem in my WIn2K domain
    ... Keep in mind that enterprise admins group has no administrative powers on ... Another thing to try is to create a new account ... add that account to the local administrators ... enable auditing of account logon events in Domain Controller Security Policy ...
    (microsoft.public.windows.server.security)
  • Re: restricting admin access to network
    ... administrators group for the "domain" or domain admins group from becoming ... whatever they want including enterprise or schema administrators. ... You may want to use "member of" option when you do this, ... > 2) Can I modify the default domain GPO ACL to only have enterprise admin ...
    (microsoft.public.security)
  • Re: Local Logon To Domain Controller
    ... That dose this administrators out to PCs have to do? ... PC Admins or what ever you want. ... >>> Server machine itself. ... >>logon locally on DCs. ...
    (microsoft.public.win2000.active_directory)