Yes, untrusted admin + DC logon access = no more security. If you're trying to lock him down, then you can't give him access to the DC. Can you give him a member server for the file shares and just delegate the password administraion on the OU?
-g -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Wednesday, September 21, 2005 4:53 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Controller Security That sounds dangerous. If you give him access to that server, particularly local logon access, you might as well just put him in the Enterprise Admin group and save both of you a few moments of work. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 9/20/05, van Donk, Fred <[EMAIL PROTECTED]> wrote: > I have a contractor in a remote site. There is only 1 server in that site > which is a DC. > > He needs to administer that server. > -Create shares > -Make file/share permissions > -Change user passwords in the User OU for that site. > > He is not allowed to log on to any other server is the domain. > > When I make him a "Server Operator" he can logon to any server in the > domain. > > Any idea on how to lock him down to that one server and then how to lock him > down on that one OU where he should only be allowed to change the passwords > of the users. > > Thanks! > Fred List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
