Re: DC Admin question

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Fri, 19 Jan 2007 23:29:36 -0700

You would need to give him login rights to that DC only, using a GPO
to grant the Logon locally user right, which same GPO applies not to
all DCs in DCs OU, but to just that DCs. In doing this one must keep
in mind that the list of grantees will replace, not augment, the list as
stated in the GPO hierarchy impacting the DCs in general, so it must
be a mindful, and complete list.

Now, that would let you grant a non-admin local login rights to the
specific DC. However, what can that non-admin then do?
You indicated "manage user shares, setup printers, etc", so much is
in the "etc".

For shares, you could preconfigure some top-level shares, with
share-level permissions for admin access and a Change grant to
the sum of all domain user accounts that would be active at that
location, and then grant the local IT contact group control on the
content (at NTFS level) below the pre-configured, shared dirs.
Of course, if you also granted the local IT contact group a Full
share-level grant, then they could manage the storage using a
mapped drive and would not need local login to the DC.

Printers are more difficult, as this involves an install, and in
particular a driver install. Granting this capability to someone
on a DC gives them the foot-in-the-door by which with skill or
luck in downloading, they could effect elevation of their account
(potentially making them able to act as if any account of any of
the domains in the forest). There is however a policy to prevent
install of printer drivers by users, which is normally enabled (i.e.
normally prevents). I would not recommend changing this.

Now, what else is in that "etc"?
It comes down to a question of just how much you are willing
to place at risk, given that some actions, once done to AD will
have broad effect everywhere; and given that with sufficient
skill (or research) and will someone with access to those enabled
credentials can elevate their privilege level.

Roger
"jim" <jim@xxxxxxxxxx> wrote in message
news:e5CTVK9OHHA.400@xxxxxxxxxxxxxxxxxxxxxxx

We've got a DC at a remote site that doubles as the office's file/print
server. The problem is that we need to allow our local IT contact to
manage user shares, setup printers, etc, but we're not sure how to give
him logon rights without making him a domain admin.

Does anyone know of technet white paper (or something) that explains how
to get around this?

Thanks in advance!

Follow-Ups:
- Re: DC Admin question
  - From: Jesper

References:
- DC Admin question
  - From: jim

Prev by Date: Re: Unable to apply patches
Next by Date: Re: DC Admin question
Previous by thread: Re: DC Admin question
Next by thread: Re: DC Admin question
Index(es):
- Date
- Thread

Relevant Pages

Re: how can i determine what gpo applied to server and who made th
... applied on the computer over time, i'm looking for a log file that can tell ... gpo was applied. ... "Grant" wrote: ... >> Security policy in the Group policy objects has been applied successfully. ...
(microsoft.public.windows.group_policy)
Re: Group Policy Not Applying Unless User is Part of Administrators Group
... I checked the GPO and it does have the appropriate rights. ... The problem is that if I install Windows 2000 from scratch, the GPO ... will apply correctly (and I will not have to grant the user admin. ... is to grant the user administrator rights. ...
(microsoft.public.win2000.active_directory)
Re: Delegate an user to create logon scripts for just one OU
... Assuming that you want to link that script to a GPO, you must grant that ... user the right to modify that particular GPO or set of GPOs. ...
(microsoft.public.windows.server.active_directory)