Have you done this in practice Guido? Are there any drawbacks to separating DC's into OU's under the domian controller container?
| "GRILLENMEIER,GUIDO (HP-Germany,ex1)"
<[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/26/2003 02:46 AM
|
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] Restart/Start Services Right |
Using subinacl is not the best approach to manage the service permissions on
a DC; I'd only use it on a standalone system or on Win2k members in an NT4
domain - in AD GPOs are the preferred way and the "Security Settings\System
Service" get you where you want to be.
But yes, neither the Default Domain Policy nor the Default Domain Controller
Policy meet the goal to grant specific permissions on single DCs. The way
around this is simply to add sub-OUs UNDERNEATH the Domain Controllers OU
(e.g. one for each office hosting a DC) and to place the DCs in the
appropriate OU. You can now add additional GPOs for DCs in a specific office
(like granting permissions on services) while still being covered by the
general Default Domain and Default Domain Controllers Policies.
/Guido
-----Original Message-----
From: Free, Bob [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 26. M�rz 2003 00:12
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Restart/Start Services Right
>I think u can do it Domain Security Policy \Security Settings \ System
service
Doesn't meet his requirement, Default Domain Policy is common to all DC's in
the DC OU.
"specific office based administrators to restart/start services on specific
domain
controllers."
Conceivably it could be done on individual DC's with subinacl but I have
never tried it.
SUBINACL /SERVICE \\MachineName\ServiceName
/GRANT=[DomainName\]UserName[=Access]
The values that 'Access' can take are:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
-----Original Message-----
From: Milind Patil [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 25, 2003 4:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Restart/Start Services Right
I think u can do it Domain Security Policy \Security Settings \ System
services
regs
Milind
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 25, 2003 2:56 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Restart/Start Services Right
Good Morning/Afternoon/Evening All,
I have many DCs in many locations. I basically want to allow specific
office based administrators to restart/start services on specific domain
controllers.
How would I go about this? Is it possible?
Thanks and Best Regards,
Rob
Robert Rutherford
********************************************************************
This E-mail and any files transmitted with it are in
commercial confidence and intended solely for the use of
the individual or entity to whom they are addressed.
If you have received this E-mail in error please notify the
Administrator by E-mail ([EMAIL PROTECTED]).
Any views or opinions expressed are solely those of the
author and do not necessarily represent those of
DEK International., or its affiliates.
********************************************************************
This footnote signifies that this message has been
checked for viruses by MailswpUK1
********************************************************************
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
**************************Disclaimer************************************
Information contained in this E-MAIL being proprietary to Wipro Limited is
'privileged' and 'confidential' and intended for use only by the individual
or entity to which it is addressed. You are notified that any use, copying
or dissemination of the information contained in the E-MAIL in any manner
whatsoever is strictly prohibited.
***************************************************************************
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
