My advice is nothing new... I'm going to say the same thing as ~Eric and joe -- but with a stronger security warning (and at the risk of repeating another recent discussion on this list.)
You should trust the techs that can log on locally to a domain controller just as much as you trust your Enterprise Admins. If you do trust them that much, then you may not need to go to great lengths to give the illusion of restricted access to the DC. If you don't, then I'd consider the option of not having DCs at those locations. This document is often referred to because it clearly spells out the threats: Delegating Administration in Windows 2000 Active Directory Directory Services http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie s/activedirectory/plan/addeladm.mspx These are some highlights from that document that apply to your scenario: - Domain Controllers within a forest cannot be isolated from one another. - Service administrators in Active Directory include: ... Builtin\Server Operators - The service administrators of a domain cannot be prevented from viewing or manipulating the data stored in a domain or on computers joined to a domain. - Restrict physical access to domain controllers to service administrators. Hopefully, this information will help you discuss with management their reluctance to help you do the right thing. --Doug -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 21, 2004 5:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... Hey, ~Eric said what I said, he just said it nicer and in more words. The first doesn't surprise me, the second, immensely so. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, May 21, 2004 8:34 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... If memory serves me correctly Server Operators is going to put them under the umbrella of AdminSDHolder so you'll need to consider what delegation has been done on them. They'll be un-delegated (so to speak) next time SDProp kicks. I would like to go on record as having said I don't like this idea. Non-domain admins should not admin DCs. But you probably don't need me to remind you of that...... ~Eric -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 21, 2004 7:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... Yep, and hope they don't have the desire to do more... Because you aren't stopping them. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Lynch Sent: Friday, May 21, 2004 5:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I know. I agree that this isn't good security practice. I wouldn't recommend this as well. But, for the lack of space in most locations (and we are only talking about 4 locations), we would just like to give the local tech access to that DC only and no other DC in the domain. I can restrict them to log onto that DC local to them only (via GPO). I might just give them Server Operators rights, restrict them to log onto that DC only, and call it a day. Thanks, Chris > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > Seielstad > Sent: Friday, May 21, 2004 10:19 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Domain Controller Security... > > True... I musta read half the question (again). > > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: joe [mailto:[EMAIL PROTECTED] > > Sent: Friday, May 21, 2004 12:41 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > I am not sure that fits his requirements for this one... > > > > Sounds like he is file sharing from the DC (not something I > personally > > recommend) and obviously it would be a bit much to dcpromo down and > > back up to add a new share. > > > > joe > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > > Seielstad > > Sent: Friday, May 21, 2004 11:54 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > I like Joe Richard's option - DCPromo it out, let the tech > work on it, > > and DCPromo it back in > > > > > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Chris Lynch [mailto:[EMAIL PROTECTED] > > > Sent: Friday, May 21, 2004 11:27 AM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Domain Controller Security... > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > I'm wondering if anyone has accomplished the following: > > > > > > Provided different security policies to multiple DC's > > within the same > > > domain, but different OU's for field techs to manage > > resources on just > > > that DC without giving Server Operators rights. > > > > > > I have almost all of the requirements resolved, except the > > ability to > > > create shares. I have modified the security on the > > > HKLM\System\CurrentControlSet\Services\LanManserver and > > > HKLM\System\ControlSet001\Services\LanManserver with no success. > > > Every document I have read about where the shares definitions are > > > stored are located in these two reg keys. > > > > > > I know the simple way would be to deploy another server to that > > > location and give them local Administrator rights. But, > management > > > doesn't want to do this. > > > > > > Thanks for any input, > > > > > > Chris Lynch > > > > > > -----BEGIN PGP SIGNATURE----- > > > Version: PGP 8.0.3 > > > Comment: Public PGP Key for Chris Lynch > > > > > > iQA/AwUBQK4f0m9fg+xq5T3MEQKvyACfR40Wo0raZykKESlI9BlWQnO9CREAoIr4 > > > BT+9sM9+/PU1ca4fioHgTuMm > > > =k33B > > > -----END PGP SIGNATURE----- > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQK5wem9fg+xq5T3MEQIcQgCbBHD/3P2lldjPMQYIuYX+bQbcy/gAn0JN HwFDAdmSI6kCuPCiwfkBn9ST =T64Z -----END PGP SIGNATURE----- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
