Click here to get back home

"Read-Only" branch office domain controllers?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
"Read-Only" branch office domain controllers? Amihai Bareket 04-20-2006
Posted by Amihai Bareket on April 20, 2006, 2:34 am
Please log in for more thread options
 Is it possible to limit permissions to a domain controller (Windows Server
2003) located in a branch office so it will practically serve as a
"read-only" DC?
I would like to limit admin access to several DCs and allow only specific
actions such as "Add computer to domain" from that DC.
All other admin tasks (such as creating users, group membership, etc..) will
be performed on the headquarters DCs and replicated to branch office.
Is there a white-paper that describes how to achieve this?

Thanks,

Amihai Bareket




Posted by Jorge de Almeida Pinto [MVP] on April 20, 2006, 1:55 am
Please log in for more thread options
 Read-only DCs will be available in Longhorn

to answer your question... nope, not possible

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
> Is it possible to limit permissions to a domain controller (Windows Server
> 2003) located in a branch office so it will practically serve as a
> "read-only" DC?
> I would like to limit admin access to several DCs and allow only specific
> actions such as "Add computer to domain" from that DC.
> All other admin tasks (such as creating users, group membership, etc..)
> will be performed on the headquarters DCs and replicated to branch office.
> Is there a white-paper that describes how to achieve this?
>
> Thanks,
>
> Amihai Bareket
>
>
>



Posted by Amihai Bareket on April 20, 2006, 5:28 am
Please log in for more thread options
OK, Let me try and rephrase my question -
Is it possible to limit/delegate permissions to certain administrative tasks
on a DC based on site?
If I use the regular delegations/permissions it will apply to all objects in
the database and not only to actions performed on a specific DC.

Amihai


"Jorge de Almeida Pinto [MVP]"
> Read-only DCs will be available in Longhorn
>
> to answer your question... nope, not possible
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>
> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
> -----------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test before implementing!
> -----------------------------------------------------------------------------
>
>
> -----------------------------------------------------------------------------
>> Is it possible to limit permissions to a domain controller (Windows
>> Server 2003) located in a branch office so it will practically serve as a
>> "read-only" DC?
>> I would like to limit admin access to several DCs and allow only specific
>> actions such as "Add computer to domain" from that DC.
>> All other admin tasks (such as creating users, group membership, etc..)
>> will be performed on the headquarters DCs and replicated to branch
>> office.
>> Is there a white-paper that describes how to achieve this?
>>
>> Thanks,
>>
>> Amihai Bareket
>>
>>
>>
>
>



Posted by Brian Delaney on April 20, 2006, 6:49 am
Please log in for more thread options
You cannot delegate based on the DC you want to make the change on. AD will
just replicate the permissions change :). But there is also no need to
delegate to every object in the domain either. Put your users in OUs based
on their physical location and then delegate at OU level and then you can
ensure certain people can only make changes on users in certain locations.
--
Brian Delaney, MCSE


"Amihai Bareket" wrote:

> OK, Let me try and rephrase my question -
> Is it possible to limit/delegate permissions to certain administrative tasks
> on a DC based on site?
> If I use the regular delegations/permissions it will apply to all objects in
> the database and not only to actions performed on a specific DC.
>
> Amihai
>
>
> "Jorge de Almeida Pinto [MVP]"
> > Read-only DCs will be available in Longhorn
> >
> > to answer your question... nope, not possible
> >
> > --
> >
> > Cheers,
> > (HOPEFULLY THIS INFORMATION HELPS YOU!)
> >
> > # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
> >
> > BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
> > -----------------------------------------------------------------------------
> > * This posting is provided "AS IS" with no warranties and confers no
> > rights!
> > * Always test before implementing!
> > -----------------------------------------------------------------------------
> >
> >
> > -----------------------------------------------------------------------------
> >> Is it possible to limit permissions to a domain controller (Windows
> >> Server 2003) located in a branch office so it will practically serve as a
> >> "read-only" DC?
> >> I would like to limit admin access to several DCs and allow only specific
> >> actions such as "Add computer to domain" from that DC.
> >> All other admin tasks (such as creating users, group membership, etc..)
> >> will be performed on the headquarters DCs and replicated to branch
> >> office.
> >> Is there a white-paper that describes how to achieve this?
> >>
> >> Thanks,
> >>
> >> Amihai Bareket
> >>
> >>
> >>
> >
> >
>
>
>

Posted by Jorge de Almeida Pinto [MVP] on April 20, 2006, 1:12 pm
Please log in for more thread options
still... to answer your question... nope, not possible

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
> OK, Let me try and rephrase my question -
> Is it possible to limit/delegate permissions to certain administrative
> tasks on a DC based on site?
> If I use the regular delegations/permissions it will apply to all objects
> in the database and not only to actions performed on a specific DC.
>
> Amihai
>
>
> "Jorge de Almeida Pinto [MVP]"
>> Read-only DCs will be available in Longhorn
>>
>> to answer your question... nope, not possible
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Windows Server - Directory Services
>>
>> BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> -----------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test before implementing!
>> -----------------------------------------------------------------------------
>>
>>
>> -----------------------------------------------------------------------------
>>> Is it possible to limit permissions to a domain controller (Windows
>>> Server 2003) located in a branch office so it will practically serve as
>>> a "read-only" DC?
>>> I would like to limit admin access to several DCs and allow only
>>> specific actions such as "Add computer to domain" from that DC.
>>> All other admin tasks (such as creating users, group membership, etc..)
>>> will be performed on the headquarters DCs and replicated to branch
>>> office.
>>> Is there a white-paper that describes how to achieve this?
>>>
>>> Thanks,
>>>
>>> Amihai Bareket
>>>
>>>
>>>
>>
>>
>
>



Similar ThreadsPosted
Branch Office Authentication? January 23, 2006, 10:55 am
ENTERPRISE DOMAIN CONTROLLERS Vs Domain Group Domain Controllers December 30, 2005, 3:08 am
Make a filetype readonly March 13, 2007, 11:07 am
Locking Down Domain Controllers January 26, 2007, 4:46 am
Default Domain Controllers Policy scope May 15, 2006, 11:26 am
Access Based Enumeration on Domain Controllers ? February 26, 2007, 6:15 pm
Microsoft PKI: problem with autoenrollment for domain controllers August 14, 2007, 8:51 am
Certs for Domain Controllers-Trying to Prevent an Issue March 19, 2008, 12:28 pm
Default domain controllers policy not applied to my server (2k3 sbs) January 3, 2006, 8:32 am
Windows 2003, Domain Controllers & "Manage auditing and security November 1, 2006, 4:43 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap