Server Operator Role

  • Thread starter Thread starter Jeff
  • Start date Start date
J

Jeff

I know that the server operator is for domain controllers
only. However, we need to create an account that is
essentially the server operator role for all servers
including our Citrix farm. I created a test user and
added him to a new group. I then blocked that group from
running group policies and added the group to Log On
Locally on the machine. He still cannot log in. What am
I missing?
 
The logon locally settings are computer settings not user settings. Thus,
you will either need to block policy processing on this/ these computer
object(s); or make this change at a higher level.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
I know that the server operator is for domain controllers
only. However, we need to create an account that is
essentially the server operator role for all servers
including our Citrix farm. I created a test user and
added him to a new group. I then blocked that group from
running group policies and added the group to Log On
Locally on the machine. He still cannot log in. What am
I missing?
 
From re-evaluating what they are looking for, it seems
they are looking for a group to have local admin rights to
each server. If I asign the group to the Administrators
group (not domain admins), would that accomplish what I am
looking for? Basically, they need to log on locally,
modify share permissions, printers, etc. We just dont
want to allow them to modify AD. Actually, I could just
assign the users to the administrators group couldnt I??
 
If you assign a group to the administrators group you're making them
administrators over every DC (and therefore the domain, from the point of
view that a DC is the domain and they have full control over the DC -that's
AD, not domain computers).

You would probably be better off creating a group and granting this group
certain rights and permissions, such as Logon locally, create shares, write
permissions to certain OUs, etc.


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
From re-evaluating what they are looking for, it seems
they are looking for a group to have local admin rights to
each server. If I asign the group to the Administrators
group (not domain admins), would that accomplish what I am
looking for? Basically, they need to log on locally,
modify share permissions, printers, etc. We just dont
want to allow them to modify AD. Actually, I could just
assign the users to the administrators group couldnt I??
 
Making someone a servop over a member server is rather involved. If you can live
with them being administrators on the member server that will be considerably
easier and let's face it, having srv ops gives someone enough power to be
dangerous on a server anyway so making them admin isn't much of a step.

Anyway you will want to make them admin on the citrix servers, not on the domain
controllers. So set the citrix boxes in a special OU and create a policy for
that OU that has administrators defined as a restricted group and add your users
to that policy or some domain local or domain global group and then add your
users to that group.

joe
 
I completely misread that one!! I thought we were talking about DCs <blush>

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
Making someone a servop over a member server is rather involved. If you can
live
with them being administrators on the member server that will be
considerably
easier and let's face it, having srv ops gives someone enough power to be
dangerous on a server anyway so making them admin isn't much of a step.

Anyway you will want to make them admin on the citrix servers, not on the
domain
controllers. So set the citrix boxes in a special OU and create a policy for
that OU that has administrators defined as a restricted group and add your
users
to that policy or some domain local or domain global group and then add your
users to that group.

joe
 
Ok.. Once again. This is an odd situation. We basically
have a number of users with Domain Admin permissions. We
would like a set of users with access to the servers but
not active directory. The server operator role allows
local log on, shares, printers, permissions, etc.
However, it does not allow access to modify users, user
settings or Group Policy. The problem with Server
Operators is that this is limited to only DCs. We
basically want the users to have the equivelent of the
Server Op role but across the whole domain including the
DCs. We cant give them admin since that allows
modification of the user properties. We have three
policies setup. One on the Domain which is VERY basic.
The second is on the Domain Controllers which allows
various access levels. The last is on the Terminal
Servers. This one is EXTREMELY restictive. Because of
this, the group cannot run the TS Policy. Hope this helps
clear up the situation.
 
Quite honestly, if you give them serv ops, you might as well make them
Enterprise Admins. A bright lad with interactive logon access to a DC will most
likely be able to escalate their privs right up the chain.

You shouldn't give ANYONE interactive or file system access to a DC that isn't a
domain admin and then keep in mind that a domain admin can get Enterprise Admin
if they know what they are doing.

The mistake is to think of DCs as any other server, they are not, they are the
stronghold for the security of your entire Windows environment. Just like I
don't know any UNIX admins who would let people write to the file system of a
UNIX KDC you shouldn't allow anyone to write to a Windows KDC and that is each
and every domain controller.

Thinking you can lock someone down who has interactive (or physical for that
matter) access to a DC is uninformed.

joe
 
So if they had access to the DC, they could still get into
AD Users and Computers and change permissions even with
restricted rights?
 
What I am saying is you can't sufficiently lock someone down that can logon
interactively. And from there, the forest is the security boundary, not the
domain, not the DC.

The security around domain controllers is based on users getting only network
based access to authentication/ldap/policies services. Generally read-only
except for some fairly non-consequential resources. As you bring someone into
the fold and give them access to manipulate the file system or get interactive
logon access or manipulate services the exposure increases tremendously.

joe
 
Back
Top