The problem, as you're most likely aware, is that server admins have access to the Task Scheduler, which means they can kick things off as LocalSystem, which means the DC is then 0wn3d.(owned)
Not sure what I'd do in your shoes. I'm fortunate enough to have really good IT folk in my remote locations with DCs. I'm also fortunate enough to be 6'5" tall, built like an NFL lineman, and have an expense account with which I can purchase plane tickets to their location to engage in what my ex-Army junior admin refers to as "wall to wall counseling." Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Chris Lynch [mailto:[EMAIL PROTECTED] > Sent: Friday, May 21, 2004 5:11 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Domain Controller Security... > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I know. I agree that this isn't good security practice. I wouldn't > recommend this as well. But, for the lack of space in most locations > (and we are only talking about 4 locations), we would just like to > give the local tech access to that DC only and no other DC in the > domain. I can restrict them to log onto that DC local to them only > (via GPO). I might just give them Server Operators rights, restrict > them to log onto that DC only, and call it a day. > > Thanks, > > Chris > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Roger Seielstad > > Sent: Friday, May 21, 2004 10:19 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > True... I musta read half the question (again). > > > > > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: joe [mailto:[EMAIL PROTECTED] > > > Sent: Friday, May 21, 2004 12:41 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > > > I am not sure that fits his requirements for this one... > > > > > > Sounds like he is file sharing from the DC (not something I > > personally > > > recommend) and obviously it would be a bit much to dcpromo down > > > and back up to add a new share. > > > > > > joe > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > > > Seielstad > > > Sent: Friday, May 21, 2004 11:54 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] Domain Controller Security... > > > > > > I like Joe Richard's option - DCPromo it out, let the tech > > work on it, > > > and DCPromo it back in > > > > > > > > > -------------------------------------------------------------- > > > Roger D. Seielstad - MTS MCSE MS-MVP > > > Sr. Systems Administrator > > > Inovis Inc. > > > > > > > > > > -----Original Message----- > > > > From: Chris Lynch [mailto:[EMAIL PROTECTED] > > > > Sent: Friday, May 21, 2004 11:27 AM > > > > To: [EMAIL PROTECTED] > > > > Subject: [ActiveDir] Domain Controller Security... > > > > > > > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA1 > > > > > > > > I'm wondering if anyone has accomplished the following: > > > > > > > > Provided different security policies to multiple DC's > > > within the same > > > > domain, but different OU's for field techs to manage > > > resources on just > > > > that DC without giving Server Operators rights. > > > > > > > > I have almost all of the requirements resolved, except the > > > ability to > > > > create shares. I have modified the security on the > > > > HKLM\System\CurrentControlSet\Services\LanManserver and > > > > HKLM\System\ControlSet001\Services\LanManserver with no success. > > > > Every document I have read about where the shares > definitions are > > > > stored are located in these two reg keys. > > > > > > > > I know the simple way would be to deploy another server to that > > > > location and give them local Administrator rights. But, > > management > > > > doesn't want to do this. > > > > > > > > Thanks for any input, > > > > > > > > Chris Lynch > > > > > > > > -----BEGIN PGP SIGNATURE----- > > > > Version: PGP 8.0.3 > > > > Comment: Public PGP Key for Chris Lynch > > > > > > > > iQA/AwUBQK4f0m9fg+xq5T3MEQKvyACfR40Wo0raZykKESlI9BlWQnO9CREAoIr4 > > > > BT+9sM9+/PU1ca4fioHgTuMm > > > > =k33B > > > > -----END PGP SIGNATURE----- > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0.3 > Comment: Public PGP Key for Chris Lynch > > iQA/AwUBQK5wem9fg+xq5T3MEQIcQgCbBHD/3P2lldjPMQYIuYX+bQbcy/gAn0JN > HwFDAdmSI6kCuPCiwfkBn9ST > =T64Z > -----END PGP SIGNATURE----- > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
