Re: Logon Using Terminal Services GPO
- From: "Mathieu CHATEAU" <gollum123@xxxxxxx>
- Date: Fri, 17 Aug 2007 17:31:27 +0200
How to be administrator of the DC Server without being domain admins ?
I created a test account, only member of the builtin administrators groups.
I can create AD account, modify domain admins members & co.
That's domain admins power for me !
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message news:%23w5$McN4HHA.5160@xxxxxxxxxxxxxxxxxxxxxxx
"Mathieu CHATEAU" <gollum123@xxxxxxx> wrote in message news:%23RIV5W%233HHA.3600@xxxxxxxxxxxxxxxxxxxxxxxYou can create a GPO that only apply to this DC.
Use GPMC if not already.
Add a security filtering on the GPO, so it apply only to this DC.
Take care, being admin of DC means admin of the Domain. They may change your GPO to get full access anyway
Actually being in Administrators does not mean they are admin
of the domain, they need to be in Domain Admins for that.
However, it does mean they could easily elevate their account
to Domain Admins membership.
To poster:
Limiting them to RDP login on one DC, as Mathieu has indicated via
a GPO impacting only the intended DC, will not really gain you much.
Once on there they only need to open up any of a number of remote
management tools and set the focus to DC of choice.
If you do not have trust then do not extend trust.
There is no middle ground.
Roger
"Mathew V" <mvlandys@xxxxxxxxx> wrote in message news:1187247447.765096.311480@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxHi All,
I've searching high and low for an answer but it doesn't look like
anyone has asked this question before. The company I work for has 5
domain controllers (all in separate locations - Aus, UK, India etc).
The company's main IT Dept (who I work for) admins all these servers,
though recently we have employed some systems admin contractors to
look after the AD servers in India.
The server is in a rack with no monitor attached so the only way for
these guys to log in is via RDP/Terminal Services. I have added their
user account in "Domain Controller Security Policy" -> "User Rights
Assignment" -> "Allow log on through Terminal Services".
So now they can logon remotely and administer the server (check event
logs, create users etc). I have also given them the right to shut down
the server, as from time to time they may need to bounce the server
for hardware upgrades etc.
Though I do not want them having RDP access or shutdown other servers
within the domain. Unfortunately the GPOs that I've edited give these
users those permissions throughout all domain controllers.
Is there a way to specify which domain controllers I want these users
to be able to RDP & shutdown.
.
- Follow-Ups:
- Re: Logon Using Terminal Services GPO
- From: Roger Abell [MVP]
- Re: Logon Using Terminal Services GPO
- References:
- Logon Using Terminal Services GPO
- From: Mathew V
- Re: Logon Using Terminal Services GPO
- From: Mathieu CHATEAU
- Re: Logon Using Terminal Services GPO
- From: Roger Abell [MVP]
- Logon Using Terminal Services GPO
- Prev by Date: Re: Permit only one network logon per user
- Next by Date: Re: Permit only one network logon per user
- Previous by thread: Re: Logon Using Terminal Services GPO
- Next by thread: Re: Logon Using Terminal Services GPO
- Index(es):
Relevant Pages
|
|
