The only hole is that it still affords them rights to make screw ups to the actual .dit file...
-m -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Moran Sent: Friday, July 18, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC A quick down and dirty way to solve it would be to create an admin account for each person like ADMIN_username, then put them in a group, put the group in domain admins, and then place an explicit deny all at the root of the domain for the new group and let it trickle down through inheritance. Watch who has rights to the group or you could wind up letting someone lock you out. This will give them local administrative rights to the dc's without let them muck up AD. They still can do damage through RUN AS and some other exploits, but they would really have to go out of their way and if you mistrust them that much they should not touch a dc at all. Let me know if that works -John --- "Bond, Simon" <[EMAIL PROTECTED]> wrote: > Basically my boss wants to give the server team the ability > to install > updates and patches, etc on domain controllers but not give > them domain > admins permissions. Is this possible? My gut feeling is no. > -----Original Message----- > From: Marcus Oh [mailto:[EMAIL PROTECTED] > Sent: 18 July 2003 02:38 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Installation Priviledges only on a > DC > > > Eh? You want to allow someone else to "change" AD in some > way? BAD! BAD! > :-) What's the proposition??? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Bond, Simon > Sent: Thursday, July 17, 2003 10:15 AM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Installation Priviledges only on a DC > > Is there a way to create a user who can log onto a DC and > install software > on it but not be a domain admin? To me logically you would > have to be since > a piece of software you might be installing may need to > alter AD in some > way. However, this is what I have been asked to do so I was > hoping someone > may be able to tell me one way or another. > > Cheers > > Simon > > > This e-mail and all attachments are confidential and may be > privileged. If > you have received this e-mail in error, notify the sender > immediately. Do > not use, disseminate, store or copy it in any way. > Statements or opinions in > this e-mail or any attachment are those of the author and > are not > necessarily agreed or authorised by News International > (NI). NI Group may > monitor emails sent or received for operational or business > reasons as > permitted by law. NI Group accepts no liability for viruses > introduced by > this e-mail or attachments. You should employ virus > checking software. News > International Limited, 1 Virginia St, London E98 1XY, is > the holding company > for the News International group and is registered in > England No 81701 > > > This e-mail and all attachments are confidential and may be > privileged. If you have received this e-mail in error, > notify the sender immediately. Do not use, disseminate, > store or copy it in any way. Statements or opinions in this > e-mail or any attachment are those of the author and are > not necessarily agreed or authorised by News International > (NI). NI Group may monitor emails sent or received for > operational or business reasons as permitted by law. NI > Group accepts no liability for viruses introduced by this > e-mail or attachments. You should employ virus checking > software. News International Limited, 1 Virginia St, London > E98 1XY, is the holding company for the News International > group and is registered in England No 81701 > > __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
