Administrative rights on specified domain controller

[Guest]

Hi

I have domain with many DC, i want to grant some user administrative rights
only on specified DC, not for entire domain. I have read KB240267
("Administrators cannot be restricted in Windows 2000" -
http://support.microsoft.com/kb/240267). It's impossible for Win200, and what
about Win2003?

Thanks

 

[myweb]

Hello ILYA,

Which rights should they get? Maybe than it is easier to help you with a
solution without Admin rights.

Best regards

myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Jorge de Almeida Pinto [MVP - DS]]

not possible to make someone ADMIN only on one DC

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Roger Abell [MVP]]

There are two "levels" of admin using the domain's Administrators
group or using the Domain Admins group. Domain Admins grants
a number of things not granted by the domain's Administrators group,
such as privileges on AD objects. The domain's Administrators group
is recognized by all DCs.

What is it that you are wanting to accomplish?

 

[Steven L Umbach]

That can't be done. Some will dcpromo [even remotely] a domain controller to
a domain member server for non domain administrators to work on and then
dcpromo again when done.

Steve

 

[Joe Richards [MVP]]

If you need actual admin rights you can't. An admin on one DC is an
admin on all DCs. Plus an admin account can trivially escalate
themselves to domain and enterpise admin level rights.

There are some things you can delegate, say like stopping and starting
services but doing any of that can be very dangerous with DCs because
there are various mechanisms that people can use to escalate their
rights or otherwise cause DCs to malfunction. It is generally a bad idea
to give anyone rights to a DC that aren't the buck stops here people for
making sure the DCs work properly. I.E. If someone isn't responsible for
the end state running of the machine and the forest as a whole, don't
give them rights.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Guest]

Many DC are in another towns, and i want to server operators in this town can
install/remove programs (hotfix fro Windows and other), can create/delete
service...

 

[Jorge de Almeida Pinto [MVP - DS]]

Many DC are in another towns, and i want to server operators in this town

can
install/remove programs (hotfix fro Windows and other), can create/delete
service...

you might as well make them domain admin

also see:
http://blogs.dirteam.com/blogs/jorg...e-OS-on-DCs-but-not-for-AD_2E002E002E00_.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[Joe Richards [MVP]]

I ran a corporate forest of about 400 domain controllers globally
distributed in about every Time Zone in the world. This was all run by 3
domain admins in one city in the USA. Physical location really doesn't
come into this, it is all about if you want to be secure or not. If you
feel you really need to let others muck with a DC, more than likely you
are allowing to much to be done from a DC. DCs should be very special
machines doing at most domain auth and name res. If you don't have money
to have multiple machines, just keep that in mind when people talk to
you about security, it isn't a case where you get to be cheap and be
secure generally. You have to balance it to what makes sense for you. As
Jorge said though, if you give someone rights to modify a DC, be honest
about it and make them a domain or enterprise admin because if they have
any sense they can quickly attain that status.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm