Honestly any time someone asks a question like this my
response is make them domain admins because any time they want it they can take
it and making them server ops is just a way so you can report you have fewer
admins, basically you are adhering to the letter of some rule instead of the
intended spirit.
Someone who gives enhanced rights less than administrator
on a DC to someone either doesn't understand how Windows works (nor Forest
security) or assumes that the people they are giving the access to don't
know how it works or how to enhance themselves. The bad thing is they may
at some point those untrusted people may run some program that does know how to
enhance those permissions OR they learn how to do it themselves.
Basically what security do you think you have by not giving
them domain admins right up front?
This has been a popular
discussion point over the years on this list. Look through the
archives.
This also goes for people
who allow other non-admin groups to run things like monitoring, Software
Delivery, Auditing, and distributed AV solutions that have services running
on DCs as local system or with other high privileges that allow ad hoc software
load or process execution.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Friday, June 10, 2005 4:57 AM
To: [email protected]
Subject: [ActiveDir] mstsc /console switch for non admins
Hi,
Our IT Operations team will require access to our remote Windows 2003 DC's
which act as File & Print Servers.
At the moment, they are members of the Built-in domain Server Operators
group which they use Remote Desktop to connect through to the DC's for
data/print services support/administration which gives them the remote access
they require.
I would like them to use the mstsc /console switch however, it seems only
members of the domain administrators group can use this switch as they are
unable to logon.
The IT Ops user can logon to the server via the physical kvm console using
the same account and have access. Only through mstsc /console are they denied
access.
The Server Operators group have the following rights:
Allow logon through Terminal Services
Log on Locally
Log on Locally
Does anyone know of a way around this so I can allow Non-Admins use the
/console switch?
Any ideas or alternative workarounds appreciated and I already understand
that Non-admins are not supposed to logon to DC's but due to politics we have to
allow this...for the time being.
Thanks
- Frank
Discover Yahoo!
Have fun online with music videos, cool games, IM & more. Check it out!
