Using subinacl is not the best approach to manage the service permissions on a DC; I'd only use it on a standalone system or on Win2k members in an NT4 domain - in AD GPOs are the preferred way and the "Security Settings\System Service" get you where you want to be.
But yes, neither the Default Domain Policy nor the Default Domain Controller Policy meet the goal to grant specific permissions on single DCs. The way around this is simply to add sub-OUs UNDERNEATH the Domain Controllers OU (e.g. one for each office hosting a DC) and to place the DCs in the appropriate OU. You can now add additional GPOs for DCs in a specific office (like granting permissions on services) while still being covered by the general Default Domain and Default Domain Controllers Policies. /Guido -----Original Message----- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 26. M�rz 2003 00:12 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restart/Start Services Right >I think u can do it Domain Security Policy \Security Settings \ System service Doesn't meet his requirement, Default Domain Policy is common to all DC's in the DC OU. "specific office based administrators to restart/start services on specific domain controllers." Conceivably it could be done on individual DC's with subinacl but I have never tried it. SUBINACL /SERVICE \\MachineName\ServiceName /GRANT=[DomainName\]UserName[=Access] The values that 'Access' can take are: F : Full Control R : Generic Read W : Generic Write X : Generic eXecute L : Read controL Q : Query Service Configuration S : Query Service Status E : Enumerate Dependent Services C : Service Change Configuration T : Start Service O : Stop Service P : Pause/Continue Service I : Interrogate Service U : Service User-Defined Control Commands -----Original Message----- From: Milind Patil [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 4:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Restart/Start Services Right I think u can do it Domain Security Policy \Security Settings \ System services regs Milind -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 25, 2003 2:56 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Restart/Start Services Right Good Morning/Afternoon/Evening All, I have many DCs in many locations. I basically want to allow specific office based administrators to restart/start services on specific domain controllers. How would I go about this? Is it possible? Thanks and Best Regards, Rob Robert Rutherford ******************************************************************** This E-mail and any files transmitted with it are in commercial confidence and intended solely for the use of the individual or entity to whom they are addressed. If you have received this E-mail in error please notify the Administrator by E-mail ([EMAIL PROTECTED]). Any views or opinions expressed are solely those of the author and do not necessarily represent those of DEK International., or its affiliates. ******************************************************************** This footnote signifies that this message has been checked for viruses by MailswpUK1 ******************************************************************** List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ **************************Disclaimer************************************ Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *************************************************************************** List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
