logon to DC without Admin rights

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a service provider that will be handeling software updates and service
pack installation. I have a secured root forest and would like to provide
security to the forest, hence I dont want to give these guys access to
dsa,dssite,and dnsmgmt.msc's. Is there a group or way to configure my dc's
to allow this userid to logon just for updates to server? I know this
functionality is not normal as most Admins trust the service provider that is
taking care of the day to day. However I really don't want to give them
access to these functions.

Side note:
I know about the default domain controller policy where you can add the user
to logon locally, but this doesn't give them enough access, to do what they
need to do.

One thought was to give them a local account on/in directory restore mode,
this would allow them to logon to the local server without the AD and have
admin rights to the local (per say) server. I was just uncertain if I could
update all necessary drivers and or service packs in this environment. ( as
it is basically safe mode with limited functionality ( no network support for
example )


Thanks in advance.
 
The problem with allowing them to logon in AD Restore is that would give
them the ability to add themselves to the domain admins group per the link
below and logon to Recovery console.

http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm

If you enable Software Update Services on your network, Windows Updates and
Service Packs can be installed AND approved automatically or any .msi
package can be published/assigned to users or assigned to computers which
will allow installation without administrator intervention. --- Steve
 
Thanks for the feedback but I know just as a rule, if you have physical
access to the server anything is possible. However I still need to enable
this sort of function on the DC's. I also am aware of the SUS at the local
level and domain level, unfortunately my organization will not allow this
type of service on the servers. Workstations different story but the servers
they want to have as much controller as possible over the root. I have seen
the trick that you referenced from petri's website pretty slick I must say
but none the less I still have the same problem to deal with. So what are
your thoughts about the directory restore mode option, do you think that this
would be acceptable for software updates/patches?
Thanks once again for the feedback.
 
I have never heard of or read of anyone taking that approach and can not
recommend it myself. I can't think of another solution other than make sure
these people are trustworthy and competent and you can enable auditing on
the domain controllers for things like account management and policy change
to try and track that they are not doing things that they are not supposed
to. --- Steve
 
Back
Top