Then, given the end goal, (thinking here...might be a flaw) why not deny that same group permissions to the %SystemRoot%\NTDS directory? If the issue is AD and then mucking with the AD files themselves on the DC, just deny them. Unless I'm mistaken (and given that I've just gotten up... It's possible) the deny should override other permissions.
(Now, Joe - what am I missing...?? ;0) ) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Friday, July 18, 2003 11:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC The only hole is that it still affords them rights to make screw ups to the actual .dit file... -m -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Moran Sent: Friday, July 18, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC A quick down and dirty way to solve it would be to create an admin account for each person like ADMIN_username, then put them in a group, put the group in domain admins, and then place an explicit deny all at the root of the domain for the new group and let it trickle down through inheritance. Watch who has rights to the group or you could wind up letting someone lock you out. This will give them local administrative rights to the dc's without let them muck up AD. They still can do damage through RUN AS and some other exploits, but they would really have to go out of their way and if you mistrust them that much they should not touch a dc at all. Let me know if that works -John --- "Bond, Simon" <[EMAIL PROTECTED]> wrote: > Basically my boss wants to give the server team the ability to install > updates and patches, etc on domain controllers but not give them > domain admins permissions. Is this possible? My gut feeling is no. > -----Original Message----- > From: Marcus Oh [mailto:[EMAIL PROTECTED] > Sent: 18 July 2003 02:38 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Installation Priviledges only on a DC > > > Eh? You want to allow someone else to "change" AD in some way? BAD! > BAD! > :-) What's the proposition??? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bond, Simon > Sent: Thursday, July 17, 2003 10:15 AM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Installation Priviledges only on a DC > > Is there a way to create a user who can log onto a DC and install > software on it but not be a domain admin? To me logically you would > have to be since a piece of software you might be installing may need > to alter AD in some way. However, this is what I have been asked to do > so I was hoping someone may be able to tell me one way or another. > > Cheers > > Simon > > > This e-mail and all attachments are confidential and may be > privileged. If you have received this e-mail in error, notify the > sender immediately. Do not use, disseminate, store or copy it in any > way. > Statements or opinions in > this e-mail or any attachment are those of the author and are not > necessarily agreed or authorised by News International (NI). NI Group > may monitor emails sent or received for operational or business > reasons as permitted by law. NI Group accepts no liability for viruses > introduced by this e-mail or attachments. You should employ virus > checking software. News International Limited, 1 Virginia St, London > E98 1XY, is the holding company for the News International group and > is registered in England No 81701 > > > This e-mail and all attachments are confidential and may be > privileged. If you have received this e-mail in error, notify the > sender immediately. Do not use, disseminate, store or copy it in any > way. Statements or opinions in this e-mail or any attachment are those > of the author and are not necessarily agreed or authorised by News > International (NI). NI Group may monitor emails sent or received for > operational or business reasons as permitted by law. NI Group accepts > no liability for viruses introduced by this e-mail or attachments. You > should employ virus checking software. News International Limited, 1 > Virginia St, London > E98 1XY, is the holding company for the News International group and > is registered in England No 81701 > > __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
