Fred-
This is not possible. While you can make it more difficult
for the user to do things you don't want him to, if you give him either physical
access to the DC or the ability to log on to the DC, he is in a position to
elevate his permissions to the point of owning your forest.
If you can move the files and shares to another machine,
then restricting him to only be able to change passwords within a particular OU
is easy by either setting the OU security directly or going through the
Delegation of Control Wizard.
Hunter
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of van Donk, Fred
Sent: Tuesday, September 20, 2005 2:52 PM
To: [email protected]
Subject: [ActiveDir] Domain Controller Security
I have a contractor
in a remote site. There is only 1 server in that site which is a
DC.
He needs to
administer that server.
-Create
shares
-Make file/share
permissions
-Change user
passwords in the User OU for that site.
He is not allowed to
log on to any other server is the domain.
When I make him a
"Server Operator" he can logon to any server in the domain.
Any idea on how to
lock him down to that one server and then how to lock him down on that one OU
where he should only be allowed to change the passwords of the
users.
Thanks!
Fred
