RE: [ActiveDir] Delegation of privilege

[joe]

Sakari, you are scaring me here...

 

Yann, you are basically saying. "Hi, I need to give someone I don't trust enhanced rights on only a single domain controller so they can not hurt other domain controllers.". This is not really possible. You can do a lot of one of delegation pieces but you aren't really doing a whole lot to protect yourself from the fact that you don't trust this person to have access to all of your DCs. Once on the one DC, one of many techniques can be used to get themselves access to the rest.

 

You honestly have two real answers in my book.

 

1. Break the work up into something the non-trusted person can do and the rest is given to a DA to do.

 

2. Find some other way to do the work, usually some form of proxy based solution that has rules you can apply so the person can't just do what they want, but instead only what you allow them.

 

Of course the other thing to do is not do what it is you are doing with that DC which is probably something like sharing files or printers or something like that.

 

  joe

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Monday, July 18, 2005 6:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegation of privilege

Hi Yann,

 

You could grant your user those privileges that are listed as User Rights, by applying a corresponding Group Policy Object to only one DC. However, this is probably not enough for you. For example, you cannot grant a privilege to format hard drives or share folders this way.

 

Yours, Sakari

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, July 18, 2005 8:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegation of privilege

Hello AD Gurus :)

 

I would like to give to one of my user "server operator" privilege on only one DC, and not the whole DCs of my AD 2003.

I know that DCs do not have sam locally, and the only way to give this privilege is to use the Built-in Groups in the Built-in Container. But doing this allow my user to be server op for all DCs in my domain.

 

The purpose of my question is;

=> to give one user the privilege to fully manage *only one*  DC  with "server operator" privilege, without having the right to use MMCs such as ADUC, Schema, dssite, replmon, repadmin commands.

 

Is this possible ?

 

Thanks for input.

 

Cheers,

 

Yann