Rights needed to install servicepack/hotfix on DC

[dude]

I need to grant my regional admins the rights to install service packs or
hotfixes on Win2k DCs without granting them the Domain Admin rights. Is
this possible?

thanks

 

[Guest]

Yes. Make them members of the domain local administrators group

This gives them administrator access to the domain controllers, but doesn't add them to the local administrators accounts of member servers and PCs

Paul
_______________________________

----- dude wrote: ----

I need to grant my regional admins the rights to install service packs o
hotfixes on Win2k DCs without granting them the Domain Admin rights. I
this possible

thank

 

[dude]

I"m sorry if you missed my point. I do not want them to have full access to
the domain controllers, but need them to be able to install service packs or
hotfixes. I'd like to know if that's possible. And by "domain local
administrators" group, I'm not sure what you mean. This operation will be
performed on a DC, not a member server, so there is no local administrator's
group. All we have by the books is the Built-in Administrators group and
Domain Admins group.

Yes. Make them members of the domain local administrators group.

This gives them administrator access to the domain controllers, but

doesn't add them to the local administrators accounts of member servers and
PCs.

 

[ptwilliams]

I'll explain what I meant...The builtin administrators group is, I believe,
a domain local group; meaning this is the domain local admin group. The
domain admins group is added to all domain members local administrator
group -giving the domain admins group full control over all computers and
servers in the domain. The Domain Local groups you see on DCs are a kind of
local group to the DC -but to all DCs. The administrators group doesn't get
added to the member servers and PCs administrator group therefore is only an
administrator on DCs.

Regarding only allowing installation rights, I'm not sure of how to do that
without making them administrators. I suppose, if you were to make them
power users, and then give them write access to the HKLM hive that may do
it, but I wouldn't advise such a method.


Paul.
___________________________

 

[Eric Chamberlain, CISSP]

I need to grant my regional admins the rights to install service packs or
hotfixes on Win2k DCs without granting them the Domain Admin rights. Is
this possible?

To directly answer your question, yes, you can add them to the
Administrators group. I think what you are really trying to ask is: can
they modify any file on the server without impacting security, the answer is
no. If they can change system files, they can do what ever they want with
the machine and forest.

--
Eric Chamberlain, CISSP
Campus Active Directory Architect
Central Computing Services
University of California, Berkeley
http://calnetad.berkeley.edu

 

[dude]

Upon reviewing some security settings in AD. You are incorrect on this one.
By default, the built-in Administrators group DO HAVE control over all OUs!
My point still stands. To give full access to DC without impacting the rest
of the AD/forest related securtiy. Is there a way to do this?

thanks