|
Posted by Roger Abell [MVP] on August 20, 2007, 12:04 am
Please log in for more thread options
> How to be administrator of the DC Server without being domain admins ?
>
Administrators group in a domain does not have a number of grants
to it in AD which are instead made to Domain Admins.
> I created a test account, only member of the builtin administrators
> groups.
> I can create AD account, modify domain admins members & co.
> That's domain admins power for me !
>
Like I said, it is trivial to elevate from Administrators to Domain
Admins, although one can play games with restricted groups etc.
in GPOs that Administrators have no rights on.
Roger
>
>>
>>> You can create a GPO that only apply to this DC.
>>> Use GPMC if not already.
>>> Add a security filtering on the GPO, so it apply only to this DC.
>>>
>>> Take care, being admin of DC means admin of the Domain. They may change
>>> your GPO to get full access anyway
>>
>> Actually being in Administrators does not mean they are admin
>> of the domain, they need to be in Domain Admins for that.
>> However, it does mean they could easily elevate their account
>> to Domain Admins membership.
>>
>> To poster:
>> Limiting them to RDP login on one DC, as Mathieu has indicated via
>> a GPO impacting only the intended DC, will not really gain you much.
>> Once on there they only need to open up any of a number of remote
>> management tools and set the focus to DC of choice.
>> If you do not have trust then do not extend trust.
>> There is no middle ground.
>>
>> Roger
>>
>>>> Hi All,
>>>> I've searching high and low for an answer but it doesn't look like
>>>> anyone has asked this question before. The company I work for has 5
>>>> domain controllers (all in separate locations - Aus, UK, India etc).
>>>> The company's main IT Dept (who I work for) admins all these servers,
>>>> though recently we have employed some systems admin contractors to
>>>> look after the AD servers in India.
>>>>
>>>> The server is in a rack with no monitor attached so the only way for
>>>> these guys to log in is via RDP/Terminal Services. I have added their
>>>> user account in "Domain Controller Security Policy" -> "User Rights
>>>> Assignment" -> "Allow log on through Terminal Services".
>>>>
>>>> So now they can logon remotely and administer the server (check event
>>>> logs, create users etc). I have also given them the right to shut down
>>>> the server, as from time to time they may need to bounce the server
>>>> for hardware upgrades etc.
>>>>
>>>> Though I do not want them having RDP access or shutdown other servers
>>>> within the domain. Unfortunately the GPOs that I've edited give these
>>>> users those permissions throughout all domain controllers.
>>>>
>>>> Is there a way to specify which domain controllers I want these users
>>>> to be able to RDP & shutdown.
>>>>
>>>
>>
>>
>
| 
XML Sitemap