Click here to get back home

Domain Controller Security
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Domain Controller Security corydch 01-13-2006
Posted by corydch on January 13, 2006, 4:43 pm
Please log in for more thread options
 I'm running Windows Server 2003 in Active Directory environment. I am
trying to trim my domain administrators but having trouble because I
have people who administer the hardware for a domain controller who I
want to remove from the group. Anyone know of a way to give non-domain
adminis access to device manager for hardware purposes without making
them full domain administrators? Any suggestions would be appreciated.

Cory


Posted by Joe Richards [MVP] on January 13, 2006, 9:06 pm
Please log in for more thread options
 You can't do it. They have to have admin rights to the DC and once they have
that they have more than enough rights to escalate all the way to enterprise
admin or anything else they want.

The way this was handled in a fortune 5 company I managed 400 global DCs for
(with 3 admins and a manager) was to demote DCs when hardware work needed to be
done. If that couldn't occur, the DC was cut out of the forest and reloaded and
the admin did the work and then it was repromoted.

With Longhorn AD this will be a little easier to handle in WAN Site situations.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


corydch@hotmail.com wrote:
> I'm running Windows Server 2003 in Active Directory environment. I am
> trying to trim my domain administrators but having trouble because I
> have people who administer the hardware for a domain controller who I
> want to remove from the group. Anyone know of a way to give non-domain
> adminis access to device manager for hardware purposes without making
> them full domain administrators? Any suggestions would be appreciated.
>
> Cory
>

Posted by Ondrej Sevecek on January 18, 2006, 9:10 am
Please log in for more thread options
Sever Operators.


O.



> You can't do it. They have to have admin rights to the DC and once they
> have that they have more than enough rights to escalate all the way to
> enterprise admin or anything else they want.
>
> The way this was handled in a fortune 5 company I managed 400 global DCs
> for (with 3 admins and a manager) was to demote DCs when hardware work
> needed to be done. If that couldn't occur, the DC was cut out of the
> forest and reloaded and the admin did the work and then it was repromoted.
>
> With Longhorn AD this will be a little easier to handle in WAN Site
> situations.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> corydch@hotmail.com wrote:
>> I'm running Windows Server 2003 in Active Directory environment. I am
>> trying to trim my domain administrators but having trouble because I
>> have people who administer the hardware for a domain controller who I
>> want to remove from the group. Anyone know of a way to give non-domain
>> adminis access to device manager for hardware purposes without making
>> them full domain administrators? Any suggestions would be appreciated.
>>
>> Cory
>>



Posted by Roger Abell [MVP] on January 26, 2006, 2:30 am
Please log in for more thread options
Sure, or even just Adminsitrators fits the posters request.

Joe however is correct in providing the precautionary warning, as
either Server Operators or Administrators could without too much
effort elevate themselves to Domain Admins (or Enterprise Admins
if on the forestroot domain).

As such some feel it is better to not pretend that one has gained
something solid by not making use of Domain Admins membership
to begin with (so that all due precautions are attended to).

"Ondrej Sevecek" <ondra at my_surname dot com> wrote in message
> Sever Operators.
>
>
> O.
>
>
>
>> You can't do it. They have to have admin rights to the DC and once they
>> have that they have more than enough rights to escalate all the way to
>> enterprise admin or anything else they want.
>>
>> The way this was handled in a fortune 5 company I managed 400 global DCs
>> for (with 3 admins and a manager) was to demote DCs when hardware work
>> needed to be done. If that couldn't occur, the DC was cut out of the
>> forest and reloaded and the admin did the work and then it was
>> repromoted.
>>
>> With Longhorn AD this will be a little easier to handle in WAN Site
>> situations.
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> www.joeware.net
>>
>>
>> corydch@hotmail.com wrote:
>>> I'm running Windows Server 2003 in Active Directory environment. I am
>>> trying to trim my domain administrators but having trouble because I
>>> have people who administer the hardware for a domain controller who I
>>> want to remove from the group. Anyone know of a way to give non-domain
>>> adminis access to device manager for hardware purposes without making
>>> them full domain administrators? Any suggestions would be appreciated.
>>>
>>> Cory
>>>
>
>



Posted by Joe Richards [MVP] on January 27, 2006, 10:29 pm
Please log in for more thread options
Actually put me as a servop in a child domain and I will make myself enterprise
admin in not to long a period of time.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Roger Abell [MVP] wrote:
> Sure, or even just Adminsitrators fits the posters request.
>
> Joe however is correct in providing the precautionary warning, as
> either Server Operators or Administrators could without too much
> effort elevate themselves to Domain Admins (or Enterprise Admins
> if on the forestroot domain).
>
> As such some feel it is better to not pretend that one has gained
> something solid by not making use of Domain Admins membership
> to begin with (so that all due precautions are attended to).
>
> "Ondrej Sevecek" <ondra at my_surname dot com> wrote in message
>> Sever Operators.
>>
>>
>> O.
>>
>>
>>
>>> You can't do it. They have to have admin rights to the DC and once they
>>> have that they have more than enough rights to escalate all the way to
>>> enterprise admin or anything else they want.
>>>
>>> The way this was handled in a fortune 5 company I managed 400 global DCs
>>> for (with 3 admins and a manager) was to demote DCs when hardware work
>>> needed to be done. If that couldn't occur, the DC was cut out of the
>>> forest and reloaded and the admin did the work and then it was
>>> repromoted.
>>>
>>> With Longhorn AD this will be a little easier to handle in WAN Site
>>> situations.
>>>
>>> --
>>> Joe Richards Microsoft MVP Windows Server Directory Services
>>> www.joeware.net
>>>
>>>
>>> corydch@hotmail.com wrote:
>>>> I'm running Windows Server 2003 in Active Directory environment. I am
>>>> trying to trim my domain administrators but having trouble because I
>>>> have people who administer the hardware for a domain controller who I
>>>> want to remove from the group. Anyone know of a way to give non-domain
>>>> adminis access to device manager for hardware purposes without making
>>>> them full domain administrators? Any suggestions would be appreciated.
>>>>
>>>> Cory
>>>>
>>
>
>

Similar ThreadsPosted
Domain Controller Security Policy August 12, 2005, 4:31 pm
Domain Controller That Service a DMZ October 29, 2005, 9:58 pm
Want to make an Admin for only one Domain Controller April 7, 2006, 4:42 pm
Client and Domain controller across a firewall March 31, 2008, 5:32 am
2003 Domain Controller not requesting certificate May 31, 2006, 2:53 pm
Windows 2003 Domain Controller (Open Port 593) December 18, 2006, 4:48 pm
2003 Domain Controller event id when an account is locked ? January 3, 2007, 4:16 am
Domain Controller Certificates and moving to a new server or removing them? April 23, 2007, 2:42 pm
How to Create Restricted User at the Win2K3 DOMAIN Controller August 14, 2007, 2:00 am
Normal user logging onto Win2003 Domain Controller? December 3, 2007, 7:03 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap