Re: [ActiveDir] Domain Controller Security

[Kamlesh Parmar]

By the way, I found the link for giving a user right to manage shares, on a machine, without giving him additional administrative rights.

http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/409105.aspx
 

I don't know, I would like to give him rights to manage shares on DC, as he might easily remove the SYSVOL or NETLOGON share,

 

I also, agree with Coleman, that it would be best if he doesn't login to DC,  and share and everything else is done on separate PC. You can ask him to install the administrative tools on his PC which will allows him to manage user accounts in his location OU, from his PC.

 

Ultimately, choice is yours, as well the consequences.
 

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~

On 9/21/05, Kamlesh Parmar <[EMAIL PROTECTED]> wrote:

1) Restricting his login to that particular DC

I would suggest,  creating a group policy in which you add that user id in "allow logon locally" and "allow logon through terminal services" user rights.

 

And making sure that this Policy applies to that DC only, by "security filtering" on group policy.

NOTE: make sure you remove authenticated users from security filtering

 

2) Allowing him to share/ change NTFS permission

AFAIK, user should have "Power Users" rights to share any folder. but there are no local group on DC, where you can give him that right. you can only make him member of Power Users group on domain, which defeats the purpose of restricting him to that DC only.

 

For changing NTFS permission, directly give him FULL CONTROL rights over a particular folder, and ask him to create everything inside that.

 

3) restricting to specific OU

You can use delegation wizard in ADUC console to give his user id rights to manage that OU.

 

Kamlesh
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

On 9/21/05, van Donk, Fred <[EMAIL PROTECTED] > wrote:

I have a contractor in a remote site. There is only 1 server in that site which is a DC.

 

He needs to administer that server.

-Create shares

-Make file/share permissions

-Change user passwords in the User OU for that site.

 

He is not allowed to log on to any other server is the domain.

 

When I make him a "Server Operator" he can logon to any server in the domain.

 

Any idea on how to lock him down to that one server and then how to lock him down on that one OU where he should only be allowed to change the passwords of the users.

 

Thanks!

Fred