You
can do so by Group-Policies, e.g. in the Default Domain Controllers Policy
(Computer Config \ Windows Settings \ Security Settings \ System Services).
Beware, that the GUI only lists the services that it can see on the _machine_
from where you edit the GPO, so you should edit this part of the GPO on a DC (or
via TS, instead of remotely via the ADUC GUI from your
desktop).
Some
more tips:
* in W2K, the GUI doesn't show you the current permissions,
that exist on a service (when you choose to edit the security, it defaults to
Everyone Full Control...), so be sure to add SYSTEM and Administrators into the
mix, when you change the services ACLs (in Windows Server 2003, the current ACLs
are shown)
* when you change the Default Domain Controllers Policy, you
will obviously effect all DCs. This may be o.k. for what you want, but if
you want to limit your setting to a specific DC, this won't really help. But you
really don't want to take the DC out of that OU, as otherwise it won't get the
other settings it requires...
=> the solution: create sub-OUs underneath the Domain Controllers OU (e.g. one for each AD site) and create dedicated GPOs for these sub-OUs to define the security on the services (or to grant local staff of a remote location the permission to gracefully shutdown only their local DC)
=> the solution: create sub-OUs underneath the Domain Controllers OU (e.g. one for each AD site) and create dedicated GPOs for these sub-OUs to define the security on the services (or to grant local staff of a remote location the permission to gracefully shutdown only their local DC)
The
latter is a well known practice, yet there are different statements from MS rgd.
the supportability of sub-OUs underneath the Domain Controllers OU. This
is currently being discussed in Redmond and I hope to have an official answer to
this soon, but it looks like MS will support it.
/Guido
-----Original Message-----
From: John F. Hann [mailto:[EMAIL PROTECTED]]
Sent: Samstag, 15. Februar 2003 04:56
To: ActiveDir List
Subject: [ActiveDir] Security Priv over Services on a DCWhat/Where would I adjust the security to allow a group to start/stop services on a DC?Obviously, I would only do this for certain services, since this group will not have DA level access.John HannBancorpSouth662.678.7179
