I remember a conversation about creating OU's under the Domain Controllers OU and how MSFT didn't recommend it, or didn't support it or something. joe?
That aside, you can't give local logon to a DC, there are no local accounts on a DC only domain accounts. That means that if he can log on to that DC he has enough rights to do some bad things (which has already been covered in this thread so I won't bother getting into it again).
As joe just said: don't do this.
Phil
On 9/22/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
You might consider a lower level OU under the Domain Controllers OU with a different GPO that grants him local logon to just that DC.
Thank You ! And have a nice day !
**************************************************************
Mark Lunsford
KAISER PERMANENTE
Security Operations
Remedy Group: NOPS SECURITY EDOS SYS
Direct Manager: Bud Furrow
Email: [EMAIL PROTECTED]
Outside Phone: 925-926-5898
Tie Line Phone: 8-473-5898
C ell: 925-200-4077
**************************************************************
"Gil Kirkpatrick" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]09/21/2005 05:03 PM
ActiveDir@mail.activedir.org
<ActiveDir@mail.activedir.org> RE: [ActiveDir] Domain Controller Security
Yes, untrusted admin + DC logon access = no more security.
If you're trying to lock him down, then you can't give him access to the
DC. Can you give him a member server for the file shares and just
delegate the password administraion on the OU?
-g
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of ASB
Sent: Wednesday, September 21, 2005 4:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Domain Controller Security
That sounds dangerous.
If you give him access to that server, particularly local logon
access, you might as well just put him in the Enterprise Admin group
and save both of you a few moments of work.
-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/
On 9/20/05, van Donk, Fred < [EMAIL PROTECTED]> wrote:
> I have a contractor in a remote site. There is only 1 server in that
site
> which is a DC.
>
> He needs to administer that server.
> -Create shares
> -Make file/share permissions
> -Change user passwords in the User OU for that site.
>
> He is not allowed to log on to any other server is the domain.
>
> When I make him a "Server Operator" he can logon to any server in the
> domain.
>
> Any idea on how to lock him down to that one server and then how to
lock him
> down on that one OU where he should only be allowed to change the
passwords
> of the users.
>
> Thanks!
> Fred
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
