Unfortunately this won't work for reasons discussed in other threads recently. The people who are domain admins will still be able to muck up AD.
A lot of permissions granted to admins and domain admins in Active Directory is through direct explicit ACE's. Inherited DENY ACE's will bounce off of those explicit GFRANTS unless you do some real fun stuff with the ACL chains which I really don't recommend and you can't do from the GUI. You can't really lock down a DC effectively for this. IMHO no one you do NOT fully trust should have *any* interactive or file system access or application management access to a DC period. Just too many different ways to get more access once you have an "in" on a DC. A lot of people will depend on the fact that most people don't know what they are really doing with windows, but this is a horrible assumption of security by obscurity. Trust almost no one with access to DC's. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Moran Sent: Friday, July 18, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC A quick down and dirty way to solve it would be to create an admin account for each person like ADMIN_username, then put them in a group, put the group in domain admins, and then place an explicit deny all at the root of the domain for the new group and let it trickle down through inheritance. Watch who has rights to the group or you could wind up letting someone lock you out. This will give them local administrative rights to the dc's without let them muck up AD. They still can do damage through RUN AS and some other exploits, but they would really have to go out of their way and if you mistrust them that much they should not touch a dc at all. Let me know if that works -John --- "Bond, Simon" <[EMAIL PROTECTED]> wrote: > Basically my boss wants to give the server team the ability to install > updates and patches, etc on domain controllers but not give > them domain > admins permissions. Is this possible? My gut feeling is no. > -----Original Message----- > From: Marcus Oh [mailto:[EMAIL PROTECTED] > Sent: 18 July 2003 02:38 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Installation Priviledges only on a > DC > > > Eh? You want to allow someone else to "change" AD in some way? BAD! > BAD! > :-) What's the proposition??? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bond, Simon > Sent: Thursday, July 17, 2003 10:15 AM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Installation Priviledges only on a DC > > Is there a way to create a user who can log onto a DC and install > software on it but not be a domain admin? To me logically you would > have to be since > a piece of software you might be installing may need to > alter AD in some > way. However, this is what I have been asked to do so I was > hoping someone > may be able to tell me one way or another. > > Cheers > > Simon > > > This e-mail and all attachments are confidential and may be > privileged. If you have received this e-mail in error, notify the > sender immediately. Do > not use, disseminate, store or copy it in any way. > Statements or opinions in > this e-mail or any attachment are those of the author and > are not > necessarily agreed or authorised by News International > (NI). NI Group may > monitor emails sent or received for operational or business > reasons as > permitted by law. NI Group accepts no liability for viruses > introduced by > this e-mail or attachments. You should employ virus > checking software. News > International Limited, 1 Virginia St, London E98 1XY, is > the holding company > for the News International group and is registered in > England No 81701 > > > This e-mail and all attachments are confidential and may be > privileged. If you have received this e-mail in error, notify the > sender immediately. Do not use, disseminate, store or copy it in any > way. Statements or opinions in this e-mail or any attachment are those > of the author and are not necessarily agreed or authorised by News > International (NI). NI Group may monitor emails sent or received for > operational or business reasons as permitted by law. NI > Group accepts no liability for viruses introduced by this > e-mail or attachments. You should employ virus checking > software. News International Limited, 1 Virginia St, London > E98 1XY, is the holding company for the News International > group and is registered in England No 81701 > > __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
