Quite honestly I wouldn't give out DC reboot privileges to
anyone. Not only do you have to chase the outage (because you ARE monitoring
them) but also because a lot of "lesser skilled" admins use reboot as one of the
first troubleshooting steps and it tends to cover up the real problems.
Giving out access to stop/restart/etc specific services is
fairly easy to do either through domain controller group policy (Security
Settings|System Services) or through subinacl directly on the services.
One thing to be careful of is that most of the hardware
based remote control products (RSA, DRAC, etc) allow reboot and additional
access to the OS through the hardware so be careful with
that.
We do not allow anyone access to DCs other than
authentication, WINS read (and client functionality obviously), and
netlogon/sysvol read. If someone has to work on a DC we demote it or have them
restage it. This works well with ~400 DCs globally dispersed with 3 centralized
admins.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Morley, Scott
Sent: Friday, March 19, 2004 12:27 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Limited DC rights/permissions
All,
I've got a unique
(maybe?) situation here. I need to give our service provider enough
access to our DC's so that they can restart certain services (related to
hardware, not AD), and reboot the server. Obviously, I do want to hand
over the keys to the kingdom to non-employees, especially when I'll have to fix
any mistakes.
Is there anyway to
give this granular permissioning on a DC without handing over Domain Admin
rights? a tool maybe?
Scott
Morley
MCSE 2000/4.0, Exchange 2000/5.5, MCT, CCNA, CNE, CNI
Senior Systems Engineer/Architect
Global Messaging Services, Starwood Technology Center
Starwood Hotels and Resorts, Worldwide
MCSE 2000/4.0, Exchange 2000/5.5, MCT, CCNA, CNE, CNI
Senior Systems Engineer/Architect
Global Messaging Services, Starwood Technology Center
Starwood Hotels and Resorts, Worldwide
Phone:
781-348-7120
"We will not be driven by fear into an age of
unreason if we remember that we are not descended from fearful men, not from men
who feared to write, to speak, to associate and to defend causes which were, for
the moment, unpopular." -- Edward R. Murrow
This electronic message transmission contains information from the Company that may be proprietary, confidential and/or privileged. The information is intended only for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying or distribution or use of the contents of this information is prohibited. If you have received this electronic transmission in error, please notify the sender immediately by replying to the address listed in the "From:" field.
