If memory serves me correctly Server Operators is going to put them under the umbrella of AdminSDHolder so you'll need to consider what delegation has been done on them. They'll be un-delegated (so to speak) next time SDProp kicks.
I would like to go on record as having said I don't like this idea. Non-domain admins should not admin DCs. But you probably don't need me to remind you of that...... ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 21, 2004 7:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... Yep, and hope they don't have the desire to do more... Because you aren't stopping them. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Lynch Sent: Friday, May 21, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I know. I agree that this isn't good security practice. I wouldn't recommend this as well. But, for the lack of space in most locations (and we are only talking about 4 locations), we would just like to give the local tech access to that DC only and no other DC in the domain. I can restrict them to log onto that DC local to them only (via GPO). I might just give them Server Operators rights, restrict them to log onto that DC only, and call it a day. Thanks, Chris > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > Seielstad > Sent: Friday, May 21, 2004 10:19 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Domain Controller Security... > > True... I musta read half the question (again). > > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: joe [mailto:[EMAIL PROTECTED] > > Sent: Friday, May 21, 2004 12:41 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > I am not sure that fits his requirements for this one... > > > > Sounds like he is file sharing from the DC (not something I > personally > > recommend) and obviously it would be a bit much to dcpromo down and > > back up to add a new share. > > > > joe > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > > Seielstad > > Sent: Friday, May 21, 2004 11:54 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > I like Joe Richard's option - DCPromo it out, let the tech > work on it, > > and DCPromo it back in > > > > > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Chris Lynch [mailto:[EMAIL PROTECTED] > > > Sent: Friday, May 21, 2004 11:27 AM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Domain Controller Security... > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > I'm wondering if anyone has accomplished the following: > > > > > > Provided different security policies to multiple DC's > > within the same > > > domain, but different OU's for field techs to manage > > resources on just > > > that DC without giving Server Operators rights. > > > > > > I have almost all of the requirements resolved, except the > > ability to > > > create shares. I have modified the security on the > > > HKLM\System\CurrentControlSet\Services\LanManserver and > > > HKLM\System\ControlSet001\Services\LanManserver with no success. > > > Every document I have read about where the shares definitions are > > > stored are located in these two reg keys. > > > > > > I know the simple way would be to deploy another server to that > > > location and give them local Administrator rights. But, > management > > > doesn't want to do this. > > > > > > Thanks for any input, > > > > > > Chris Lynch > > > > > > -----BEGIN PGP SIGNATURE----- > > > Version: PGP 8.0.3 > > > Comment: Public PGP Key for Chris Lynch > > > > > > iQA/AwUBQK4f0m9fg+xq5T3MEQKvyACfR40Wo0raZykKESlI9BlWQnO9CREAoIr4 > > > BT+9sM9+/PU1ca4fioHgTuMm > > > =k33B > > > -----END PGP SIGNATURE----- > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQK5wem9fg+xq5T3MEQIcQgCbBHD/3P2lldjPMQYIuYX+bQbcy/gAn0JN HwFDAdmSI6kCuPCiwfkBn9ST =T64Z -----END PGP SIGNATURE----- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
