Re: Security question

From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 20 Jun 2006 15:04:32 -0500

Well you could try adding him to the print operators group in Active
Directory users and computers but I would only consider that if he is
extremely competent and trustworthy. I DON'T like the idea of anybody other
that a domain level administrator running backup software on a domain
controller. Keep in mind that every domain controller has a writeable copy
of Active Directory for the whole domain and if he accessed something he was
not supposed to or damaged something he was not supposed to the consequences
could be huge.It is also a bad idea to have a domain controller being a jack
of all trades. You really might want to consider putting another server at
that location or demote the domain controller to a regular domain server and
then use it for whatever you need and then you can give him access for what
he needs to do without jeopardizing the whole domain. -- Steve

"Haim Beyhan" <haimb@xxxxxxxxxx> wrote in message
news:%23c6scJ7kGHA.4444@xxxxxxxxxxxxxxxxxxxxxxx

Hi,

We have one AD domain 2003 with 3 sites. AD is installed in every site and
every DC is also GC, DNS, Wins, DHCP etc. One of the sites has only 3
people but as they're using an application that depends on user
permissions and groups, we decided to install DC+GC there too. But the
same DC has all the network services above and plus backupexec, antivirus,
print server, file server and clearcase server. I have only one guy there
that is not system admin but he would like to logon on this server and run
the backupexec software or manage printers or other application based
stuff. My question is how I can grant this guy access to this DC for only
specific applications and deny him access to AD management or DNS-wins
management etc.

Thanks,

Haim Beyhan

References:
- Security question
  - From: Haim Beyhan

Prev by Date: Re: Logon Type 2, Process Advapi, Package MSV1_0
Next by Date: Re: firewall
Previous by thread: Security question
Next by thread: Registry change
Index(es):
- Date
- Thread

Relevant Pages

Re: Client performance problem windows 2003 server...
... >Subject: Re: Client performance problem windows 2003 server... ... >Deploying Active Directory for Branch Office Environments ... >results from not having a domain controller in a particular site. ... incorrectly applied site coverage will be bad for clients ...
(microsoft.public.windows.server.networking)
Re: Client performance problem windows 2003 server...
... Testing server: Verkstadsgatan\VERKTYG ... Deploying Active Directory for Branch Office Environments ... results from not having a domain controller in a particular site. ... incorrectly applied site coverage will be bad for clients ...
(microsoft.public.windows.server.networking)
RE: NTDS.dit file is currupt
... "microsoft" wrote:> We are currently facing a serious problem with one our client server. ... > After rebooting the machine in directory services restore mode, I had> followed the steps below; ntdsutil neither defrag Active Directory Database> nor repair. ... Restart the domain controller. ... Check the integrity of the Active Directory database. ...
(microsoft.public.win2000.active_directory)
Re: Thoroughly confused SBS 2003 Server
... fact I first had SBS running on the box that now has the Server Enterprise ... A year ago or moe I put up the second server and made it a domain controller ... The replication generated an error: ...
(microsoft.public.windows.server.sbs)
Re: Big trouble with DC in China
... > Since then, this server has so may errors in the event logs (KCC, ... > DNS, FRS) that I wouldnt know where to start. ... > Source domain controller address: ...
(microsoft.public.windows.server.active_directory)