what's the size of these 4 locations? and their network connectivity to the next larger location that has a DC?
the locations may be large enough to absolutely require a file&print server - but they could very well be fine without placing a DC in the location and you'd still find authentication to run sufficiently well. Ofcourse the locations won't be as independent in terms of network outage, but usually you have many other dependencies in this case as well (such as central web-apps, LOB apps, messaging servers etc.) so network authentication shouldn't be the real culprit. And with the kerberos capabilities (assuming your users were able to logon in the morning), the kerberos ticket will allow sufficient time for an un-reachable DC as well. I find DCs being placed in way too many locations at many companies - often in physically unsecure rooms... So even if you don't grant admin rights to local folks, this is not a bit more secure either... Better to keep DCs out of these locations. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Lynch Sent: Freitag, 21. Mai 2004 23:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Domain Controller Security... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I know. I agree that this isn't good security practice. I wouldn't recommend this as well. But, for the lack of space in most locations (and we are only talking about 4 locations), we would just like to give the local tech access to that DC only and no other DC in the domain. I can restrict them to log onto that DC local to them only (via GPO). I might just give them Server Operators rights, restrict them to log onto that DC only, and call it a day. Thanks, Chris > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Friday, May 21, 2004 10:19 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Domain Controller Security... > > True... I musta read half the question (again). > > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: joe [mailto:[EMAIL PROTECTED] > > Sent: Friday, May 21, 2004 12:41 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > I am not sure that fits his requirements for this one... > > > > Sounds like he is file sharing from the DC (not something I > personally > > recommend) and obviously it would be a bit much to dcpromo down > > and back up to add a new share. > > > > joe > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > > Seielstad > > Sent: Friday, May 21, 2004 11:54 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > I like Joe Richard's option - DCPromo it out, let the tech > work on it, > > and DCPromo it back in > > > > > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Chris Lynch [mailto:[EMAIL PROTECTED] > > > Sent: Friday, May 21, 2004 11:27 AM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Domain Controller Security... > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > I'm wondering if anyone has accomplished the following: > > > > > > Provided different security policies to multiple DC's > > within the same > > > domain, but different OU's for field techs to manage > > resources on just > > > that DC without giving Server Operators rights. > > > > > > I have almost all of the requirements resolved, except the > > ability to > > > create shares. I have modified the security on the > > > HKLM\System\CurrentControlSet\Services\LanManserver and > > > HKLM\System\ControlSet001\Services\LanManserver with no success. > > > Every document I have read about where the shares definitions are > > > stored are located in these two reg keys. > > > > > > I know the simple way would be to deploy another server to that > > > location and give them local Administrator rights. But, > management > > > doesn't want to do this. > > > > > > Thanks for any input, > > > > > > Chris Lynch > > > > > > -----BEGIN PGP SIGNATURE----- > > > Version: PGP 8.0.3 > > > Comment: Public PGP Key for Chris Lynch > > > > > > iQA/AwUBQK4f0m9fg+xq5T3MEQKvyACfR40Wo0raZykKESlI9BlWQnO9CREAoIr4 > > > BT+9sM9+/PU1ca4fioHgTuMm > > > =k33B > > > -----END PGP SIGNATURE----- > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 Comment: Public PGP Key for Chris Lynch iQA/AwUBQK5wem9fg+xq5T3MEQIcQgCbBHD/3P2lldjPMQYIuYX+bQbcy/gAn0JN HwFDAdmSI6kCuPCiwfkBn9ST =T64Z -----END PGP SIGNATURE----- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
