>>>make it a child domain so he can't climb up the tree Not only will (s)he be able to run up the tree, (s)he will own the tree, the leaves, the bushes, the grasses, and, for that matter, the forest. The Domain is NOT a security boundary. It is an administrative boundary. Service administrators have the ability to cross domain boundaries within a forest. Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Gideon Ashcraft Sent: Thu 9/22/2005 8:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Controller Security The only thing to do is to make him an admin of that site, or better yet make that site a child domain and make him a domain admin of that child domain. I know from experience that using a DC as anything but a DC is a freakin pain in the ass, my predecessor set a DC up as a print/file server and another as a SQL server (finally able to demote that one now, soon hopefully). But my citrix profiles are on the domain controller, and after months of trying to set delegation up properly in AD and setting up permissions in the appropriate folders on the DC, the only way I was able to get my Helpdesk admin set up to create accounts with my scripts so that I didn't have to do it was to make him a domain admin. My company is too damn cheap to get me another server to put the citrix profiles somewhere else. Oh yeah, and its an app server for network install of office (can you feel my pain). So, if there is only one server in the site and its a DC, the only way to get him to do anything is to make him a domain admin (make it a child domain so he can't climb up the tree) Gideon Ashcraft Network Admin Screen Actors Guild ct: RE: [ActiveDir] Domain Controller Security Look through the archives. The short answer is... "Just don't do it". You can't possibly secure this regardless of what anyone says. If someone says it can be made safe, stop asking them technical questions about Domain Controllers and Active Directory. Either you trust the person or you don't. If you don't trust the person, then don't put the person in a position to show you the meaning of screwed. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of van Donk, Fred Sent: Tuesday, September 20, 2005 4:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Controller Security I have a contractor in a remote site. There is only 1 server in that site which is a DC. He needs to administer that server. -Create shares -Make file/share permissions -Change user passwords in the User OU for that site. He is not allowed to log on to any other server is the domain. When I make him a "Server Operator" he can logon to any server in the domain. Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users. Thanks! Fred List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/