Joe- I appreciate you trying to make me fully aware of the implications of this. Believe me I am. The knowledge that such a move would give a handful of simpletons the ability to bring the entire network and thus the business to it's knees is fully understood. One day I hope to be in a position to simply say "no" when asked to do something this stupid. Until that day...
You addressing the need to migrate profiles answers my question about whether profiles would be affected. Thank you for your time. Michael Hauck Network Administrator HiRel Systems 603-842-8808 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 05, 2005 12:36 PM To: [email protected] Subject: RE: [ActiveDir] Terminal Server to DC Well first off, you won't have power users for them any more. Doesn't exist on domain controllers. So whatever access you grant them through that will change and you will have to find some other way to do what they want or not do it at all. Most likely you will assign them administrator or tell them to do without. Honestly, with interactive access, might as well make them domain/enterprise admins and be honest about the level of access right off so there are no remarks of "I had no idea they could do that" later on when something gets dorked over by one of these users either on accident or on purpose. Next, the profiles will have to be migrated. I have heard of tools to do that, but haven't actually used any as it isn't something I tend to worry about. I am unaware if whether they would work in this specific scenario or not since it is kind of odd ball. All groups currently defined on the machine and any security layed down via those groups say on files, folders, reg keys, services, rights/privileges, etc will all be impacted. Obviously the SIDs of the groups if recreated and in fact the users themselves will be different so any ACLs that contains those SIDs will need to be redone. Unless you used everyone or authenticated users for all ACLing which is about the level of security it sounds like we are concerned about in this case, then you have to reACL all files, folders, or any other securable objects used by the users. The users themselves on the machine won't have any additional security concerns. They already had what they would have being on a TS and the possibility of someone escalating their rights via power users access rights, however others in the domain and forest if this is a DC that is going into a larger configuration will now be subject to attack including any and all domain and enterprise admins. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Hauck Sent: Tuesday, April 05, 2005 12:13 PM To: [email protected] Subject: RE: [ActiveDir] Terminal Server to DC Thank you for pointing this out but I understand the security issues. I am not making the call on this I have simply been asked to research the functionality of a terminal server promoted to a domain controller. Michael Hauck Network Administrator HiRel Systems 603-842-8808 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 05, 2005 12:03 PM To: [email protected] Subject: RE: [ActiveDir] Terminal Server to DC > I will need to give each user the ability to log on locally. That is > fine. Huh? Is this a standalone domain controller, i.e. not in a part of a forest or other domain? If not, this truly isn't fine unless you don't have any concerns about security and when I say no concerns about security I mean you don't care if you have it or not. You would be putting users into a position where they could make your life very painful. Domain Controllers should have no one but domain admins logging into them interactively. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Hauck Sent: Tuesday, April 05, 2005 11:52 AM To: [email protected] Subject: [ActiveDir] Terminal Server to DC Hello all. We have a terminal server in a remote location that has been used by a handful of people. We now have a need to promote this Win2K server to a DC. The issue is, this server needs to remain a TS as well. These few users are setup in the Power User group on the local machine and access a single program that is installed on this server as well as a couple of printers that have been setup for each profile. I understand once this server is promoted all local accounts will go away and that I will need to give each user the ability to log on locally. That is fine. My question is, does the upgrade affect the user's profiles currently installed on that server? Once I have gone through the process of promoting this server (and giving them Log on Locally rights) will they be able to access the server like nothing has changed or will I be setting each user up from scratch? Michael Hauck Network Administrator HiRel Systems 603-842-8808 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
