Re: DC Admin question
- From: Jesper <Jesper@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 19 Jan 2007 23:04:00 -0800
Actually, as I think Joe was hinting at, with physical access to the box
you've pretty much already decided to trust the IT guy as a domain admin. If
he's evil, he's got all the access he needs right now. If he's not, you may
as well give him a domain admin account.
You have to be an admin to install printers because they use kernel mode
drivers. You can't manage shares without being an admin either, so the
decision is quite easy.
The read-only DC in Longhorn will be great for this type of scenario.
"Roger Abell [MVP]" wrote:
You would need to give him login rights to that DC only, using a GPO.
to grant the Logon locally user right, which same GPO applies not to
all DCs in DCs OU, but to just that DCs. In doing this one must keep
in mind that the list of grantees will replace, not augment, the list as
stated in the GPO hierarchy impacting the DCs in general, so it must
be a mindful, and complete list.
Now, that would let you grant a non-admin local login rights to the
specific DC. However, what can that non-admin then do?
You indicated "manage user shares, setup printers, etc", so much is
in the "etc".
For shares, you could preconfigure some top-level shares, with
share-level permissions for admin access and a Change grant to
the sum of all domain user accounts that would be active at that
location, and then grant the local IT contact group control on the
content (at NTFS level) below the pre-configured, shared dirs.
Of course, if you also granted the local IT contact group a Full
share-level grant, then they could manage the storage using a
mapped drive and would not need local login to the DC.
Printers are more difficult, as this involves an install, and in
particular a driver install. Granting this capability to someone
on a DC gives them the foot-in-the-door by which with skill or
luck in downloading, they could effect elevation of their account
(potentially making them able to act as if any account of any of
the domains in the forest). There is however a policy to prevent
install of printer drivers by users, which is normally enabled (i.e.
normally prevents). I would not recommend changing this.
Now, what else is in that "etc"?
It comes down to a question of just how much you are willing
to place at risk, given that some actions, once done to AD will
have broad effect everywhere; and given that with sufficient
skill (or research) and will someone with access to those enabled
credentials can elevate their privilege level.
Roger
"jim" <jim@xxxxxxxxxx> wrote in message
news:e5CTVK9OHHA.400@xxxxxxxxxxxxxxxxxxxxxxx
We've got a DC at a remote site that doubles as the office's file/print
server. The problem is that we need to allow our local IT contact to
manage user shares, setup printers, etc, but we're not sure how to give
him logon rights without making him a domain admin.
Does anyone know of technet white paper (or something) that explains how
to get around this?
Thanks in advance!
- Follow-Ups:
- Re: DC Admin question
- From: Roger Abell [MVP]
- Re: DC Admin question
- References:
- DC Admin question
- From: jim
- Re: DC Admin question
- From: Roger Abell [MVP]
- DC Admin question
- Prev by Date: Re: DC Admin question
- Next by Date: Re: Strange issue with password authentication
- Previous by thread: Re: DC Admin question
- Next by thread: Re: DC Admin question
- Index(es):
Relevant Pages
|
