Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Print Server
Print Server [message #161720] Tue, 06 October 2009 11:35 Go to next message
Dave[2]  is currently offline Dave[2]
Messages: 10
Registered: September 2009
Junior Member
We have a branch offfice where we plan to use an RODC as a print server for the branch. Would like to know if adding the print admin into the "Print Operators" Local Role on the RODC is sufficient for printers management?, as we remove the print operators group from Allow Login Locally right from the DC Policy. Since there is a local SAM in RODC can we also assign any local policies which will be applicable to that print server, just like the way you assign for any member server.

Can we move the RODC's into child OU;s under Domain Controllers OU? Is that a best practise? This is mainly for applying policies specific to RODC's or server roles running on RODCs

From what we have seen, members of atleast some of the local role holders like Server Operators and Print Operators can create file in Sysvol, there by creating failues in Syvol replication.


--
Re: Print Server [message #161756 is a reply to message #161720] Wed, 07 October 2009 03:42 Go to previous message
Jim  is currently offline Jim
Messages: 1625
Registered: July 2009
Senior Member
Haven't tries it but i think thats the whole motive of administrative role seperation. I assume that you are referring to removing the Domain Printer Operators group from Allow logon Locally, etc group policies...i think that should not have any effect on a print admin who is a member of local print server role group, it shuld still allow him to login locally and allow him to perform print mgmt tasks. Local Policies...got to look into this..

I dont thinking moving a RODC out of default DC OU is a good idea and wonder if its supported also?

Yes, in my opinion this is no different from a RWDC, the only issue that see is, earlier such write operations on a DC were done with a high privilege account, however with an RODC, a delegated users who has AD privilges can still write to the file sysytem on RODC causing SYSVOL corruption and other security issues.



"Dave" <Dave@live.com> wrote in message news:%23O9%23dtqRKHA.1280@TK2MSFTNGP04.phx.gbl...
We have a branch offfice where we plan to use an RODC as a print server for the branch. Would like to know if adding the print admin into the "Print Operators" Local Role on the RODC is sufficient for printers management?, as we remove the print operators group from Allow Login Locally right from the DC Policy. Since there is a local SAM in RODC can we also assign any local policies which will be applicable to that print server, just like the way you assign for any member server.

Can we move the RODC's into child OU;s under Domain Controllers OU? Is that a best practise? This is mainly for applying policies specific to RODC's or server roles running on RODCs

From what we have seen, members of atleast some of the local role holders like Server Operators and Print Operators can create file in Sysvol, there by creating failues in Syvol replication.


--
Previous Topic:RODC
Next Topic:Unable to list trusted domain when I want to configure permissions ?
Goto Forum:
  


Current Time: Tue Jan 23 16:30:18 MST 2018

Total time taken to generate the page: 0.05235 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software