Super Administrator rights

  • Thread starter Thread starter Citimouse
  • Start date Start date
C

Citimouse

Hi,

I have several Windows 2000 server and one Windows 2003 server. The Windows
2003 server is a domain controller. The rest are member server.

All the Windows 2000 server are all test server for the developers to do
testing. So they often need to install and reinstall softwares and also
change settings of the server. Therefore, they are currently using domain
administrator login when using the server. I know that is unwise.

I would like to protect my DC from all users except Domain Admins. Is there
a way that I can configure the domain in such a way that the developers can
continue to install softwares or change settings on the test servers but not
on the domain controller?

Thank you.

WY
 
Hello,

please don't crosspost. You won't get your answers any faster, and it
forces you to look in several places for answers when people reply only to a
single newsgroup.

As with regards to your question, if the Windows 2000 servers are just
member servers, then have the developers log into those machines with the
local administrator account.
They will have full access to that machine, but not to your 2003 DC.
If they want to mess around with Active Directory, then create a seperate OU
for them and grant them the rights needed to be super admins, but only in
their little corner of AD.

regards,

SteveC
======
If at first you don't succeed, forget skydiving
 
Yes, remove them from the domain admin group.
Make them a member of the local administrator group on the test servers,
or just give them thier own accounts on the test servers with admin rights.
When they have to login to the machine to make changes, they would then
login locally instead of into the domain.
 
That's pretty-much the answer.

There would be a way for these people to quite easily gain domain admin
rights if they had admin rights to a member server. Making them a "Server
Operator" would see to that, but it's all a matter of trust really.

Oli
 
But does the role of a server operator allow them to install program into a
machine? I have tried that but they always complain they cannot install
program when they are server operator.
 
Quite possibly not. As I understand it, Server Operators is for a server
what Power Users is for a workstation.
 
Oli Restorick said:
That's pretty-much the answer.

There would be a way for these people to quite easily gain domain admin
rights if they had admin rights to a member server. Making them a "Server
Operator" would see to that, but it's all a matter of trust really.

Oli
Click to expand...

Oli, how could they gain domain admin rights? How is that different
than a user w/ local admin rights to his/her PC??

I can see if the net admins were careless enough to run services on the
member servers, such as the Task Scheduler, w/ domain admin user(s).
 
If a domain admin logs into that PC at all, a malicious server administrator
could modify the domain admin's local profile so that next time the domain
admin logged in a command runs and either creates a new user with domain
admin rights or increases the permissions of an existing account.

Having a roaming profile for the domain admin would see to that issue, but I
don't know of anyone who actually does that.

Regards

Oli
 
Oli Restorick said:
If a domain admin logs into that PC at all, a malicious server administrator
could modify the domain admin's local profile so that next time the domain
admin logged in a command runs and either creates a new user with domain
admin rights or increases the permissions of an existing account.

Having a roaming profile for the domain admin would see to that issue, but I
don't know of anyone who actually does that.

Regards

Oli
Click to expand...

Oh crap, I never thought about that! But that would then also apply to
users w/ local admin rights to their workstations!!
 
In our company, domain admins do not log into any server other than the
domain controllers.

We have OU admins for the rest of the server management and the domain
admins manage the infrastructure stuff. OU admins are not allowed access to
the infrastructure servers.


Oli Restorick said:
If a domain admin logs into that PC at all, a malicious server administrator
could modify the domain admin's local profile so that next time the domain
admin logged in a command runs and either creates a new user with domain
admin rights or increases the permissions of an existing account.

Having a roaming profile for the domain admin would see to that issue, but I
don't know of anyone who actually does that.

Regards

Oli


servers
Click to expand...
 
Back
Top