Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Win2008 rights
Win2008 rights [message #161768] Wed, 07 October 2009 07:30 Go to next message
southpaw  is currently offline southpaw  United States
Messages: 61
Registered: July 2009
Member
Hi,

I want to allow our remote IT support guy to logon to the DC and perform a
shutdown if needed but not allow viewing AD or making any change on the DC..
How do I set this up is there a particular group I can add the user.

Win2008 RWDC

Thanks
Re: Win2008 rights [message #161771 is a reply to message #161768] Wed, 07 October 2009 08:03 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello southpaw,

Any user by default is able to view with AD UC.

You can use a Administrator Role Separation on RODC in the branch office:
http://technet.microsoft.com/en-us/library/cc753170(WS.10).aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> I want to allow our remote IT support guy to logon to the DC and
> perform a shutdown if needed but not allow viewing AD or making any
> change on the DC.. How do I set this up is there a particular group I
> can add the user.
>
> Win2008 RWDC
>
> Thanks
>
Re: Win2008 rights [message #161775 is a reply to message #161771] Wed, 07 October 2009 08:49 Go to previous messageGo to next message
southpaw  is currently offline southpaw  United States
Messages: 61
Registered: July 2009
Member
Thank Meinolf,
Does Role separation also apply to RWDC ? I don't believe it does..Any
idea how I can delegate the rights to perform logon and reboots only for
RWDCs..


"Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
news:6cb2911d71d78cc157ecf217983@msnews.microsoft.com...
> Hello southpaw,
>
> Any user by default is able to view with AD UC.
>
> You can use a Administrator Role Separation on RODC in the branch office:
> http://technet.microsoft.com/en-us/library/cc753170(WS.10).aspx
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi,
>>
>> I want to allow our remote IT support guy to logon to the DC and
>> perform a shutdown if needed but not allow viewing AD or making any
>> change on the DC.. How do I set this up is there a particular group I
>> can add the user.
>>
>> Win2008 RWDC
>>
>> Thanks
>>
>
>
RE: Win2008 rights [message #161777 is a reply to message #161768] Wed, 07 October 2009 09:05 Go to previous messageGo to next message
Joe Dunn  is currently offline Joe Dunn
Messages: 36
Registered: July 2009
Member
It's not possible. A user must have Administrator rights in the domain to
shutdown a DC. Therefore they will have rights to view and change everything
as well.

If you don't trust someone to even view AD why would you want to give them
the right to shutdown a DC?

Best Regards
Joe Dunn
MBCS, MCSE, MCTS, CCNA


"southpaw" wrote:

> Hi,
>
> I want to allow our remote IT support guy to logon to the DC and perform a
> shutdown if needed but not allow viewing AD or making any change on the DC..
> How do I set this up is there a particular group I can add the user.
>
> Win2008 RWDC
>
> Thanks
>
>
>
Re: Win2008 rights [message #161780 is a reply to message #161777] Wed, 07 October 2009 09:17 Go to previous messageGo to next message
southpaw  is currently offline southpaw  United States
Messages: 61
Registered: July 2009
Member
Understood but my manager wants it set up that way and was told is currently
setup in one of our Win 2003 forest that way but since I am responsible to
upgrading the DCs to Win2008 I thought I would post the question how is this
possible...

thanks..

"Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
news:62897382-0410-4ABF-94A3-6D46CA7FEE7E@microsoft.com...
>
> It's not possible. A user must have Administrator rights in the domain to
> shutdown a DC. Therefore they will have rights to view and change
> everything
> as well.
>
> If you don't trust someone to even view AD why would you want to give them
> the right to shutdown a DC?
>
> Best Regards
> Joe Dunn
> MBCS, MCSE, MCTS, CCNA
>
>
> "southpaw" wrote:
>
>> Hi,
>>
>> I want to allow our remote IT support guy to logon to the DC and
>> perform a
>> shutdown if needed but not allow viewing AD or making any change on the
>> DC..
>> How do I set this up is there a particular group I can add the user.
>>
>> Win2008 RWDC
>>
>> Thanks
>>
>>
>>
Re: Win2008 rights [message #161786 is a reply to message #161780] Wed, 07 October 2009 09:52 Go to previous messageGo to next message
Joe Dunn  is currently offline Joe Dunn
Messages: 36
Registered: July 2009
Member
This question comes up regularly. There really isn't a way. There are some
solutions which people think work such as granting a user domain admin rights
but then Denying them specific rights in AD. But as the user is an
Administrator they can always undo any restrictions which have been placed on
their account.

Believing there is a way only gives a false sense of security. Leave
administrating DCs to people who are full Domain Administrators.

Best Regards
Joe Dunn
MBCS, MCSE, MCTS, CCNA


"southpaw" wrote:

> Understood but my manager wants it set up that way and was told is currently
> setup in one of our Win 2003 forest that way but since I am responsible to
> upgrading the DCs to Win2008 I thought I would post the question how is this
> possible...
>
> thanks..
>
> "Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
> news:62897382-0410-4ABF-94A3-6D46CA7FEE7E@microsoft.com...
> >
> > It's not possible. A user must have Administrator rights in the domain to
> > shutdown a DC. Therefore they will have rights to view and change
> > everything
> > as well.
> >
> > If you don't trust someone to even view AD why would you want to give them
> > the right to shutdown a DC?
> >
> > Best Regards
> > Joe Dunn
> > MBCS, MCSE, MCTS, CCNA
> >
> >
> > "southpaw" wrote:
> >
> >> Hi,
> >>
> >> I want to allow our remote IT support guy to logon to the DC and
> >> perform a
> >> shutdown if needed but not allow viewing AD or making any change on the
> >> DC..
> >> How do I set this up is there a particular group I can add the user.
> >>
> >> Win2008 RWDC
> >>
> >> Thanks
> >>
> >>
> >>
>
>
>
Re: Win2008 rights [message #161791 is a reply to message #161780] Wed, 07 October 2009 10:05 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"southpaw" <southpaw@nospam.com> wrote in message
news:O41wVF2RKHA.1232@TK2MSFTNGP05.phx.gbl...

Southpaw, I'm curious,

How is it currently setup this way with one of your forests? Is the user
part of the domain's Domain Administrators group, or do they simply have
local administrator rights on the server in order to allow them to perform
server tasks, such as change the clock, restart, etc?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

> Understood but my manager wants it set up that way and was told is
> currently setup in one of our Win 2003 forest that way but since I am
> responsible to upgrading the DCs to Win2008 I thought I would post the
> question how is this possible...
>
> thanks..
>
> "Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
> news:62897382-0410-4ABF-94A3-6D46CA7FEE7E@microsoft.com...
>>
>> It's not possible. A user must have Administrator rights in the domain
>> to
>> shutdown a DC. Therefore they will have rights to view and change
>> everything
>> as well.
>>
>> If you don't trust someone to even view AD why would you want to give
>> them
>> the right to shutdown a DC?
>>
>> Best Regards
>> Joe Dunn
>> MBCS, MCSE, MCTS, CCNA
>>
>>
>> "southpaw" wrote:
>>
>>> Hi,
>>>
>>> I want to allow our remote IT support guy to logon to the DC and
>>> perform a
>>> shutdown if needed but not allow viewing AD or making any change on the
>>> DC..
>>> How do I set this up is there a particular group I can add the user.
>>>
>>> Win2008 RWDC
>>>
>>> Thanks
>>>
>>>
>>>
>
>
Re: Win2008 rights [message #161792 is a reply to message #161791] Wed, 07 October 2009 10:33 Go to previous messageGo to next message
southpaw  is currently offline southpaw  United States
Messages: 61
Registered: July 2009
Member
Hi Ace,

I am a bit curious too . I need to dig deeper into this. I believe perhaps
local administrative rights on the DC is this possible? haven't looked into
it yet..

would be a big help I can see for my manager point of view . We have a
fairly large environment over 75 DCs in various locations and in particular
Dhaka, there is always power issues that require a DC shutdown and hate
getting calls 2am to power down a DC.
Believe me I tried setting up Powerchute and its like hit or miss never
really work .. If some how we can delegate the role or rights to shutdown a
DC when needed would certainly be a big help..

sorry for my rant..
"Ace Fekay [MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:%23iN8xf2RKHA.4028@TK2MSFTNGP05.phx.gbl...
> "southpaw" <southpaw@nospam.com> wrote in message
> news:O41wVF2RKHA.1232@TK2MSFTNGP05.phx.gbl...
>
> Southpaw, I'm curious,
>
> How is it currently setup this way with one of your forests? Is the user
> part of the domain's Domain Administrators group, or do they simply have
> local administrator rights on the server in order to allow them to perform
> server tasks, such as change the clock, restart, etc?
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
> Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
>> Understood but my manager wants it set up that way and was told is
>> currently setup in one of our Win 2003 forest that way but since I am
>> responsible to upgrading the DCs to Win2008 I thought I would post the
>> question how is this possible...
>>
>> thanks..
>>
>> "Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
>> news:62897382-0410-4ABF-94A3-6D46CA7FEE7E@microsoft.com...
>>>
>>> It's not possible. A user must have Administrator rights in the domain
>>> to
>>> shutdown a DC. Therefore they will have rights to view and change
>>> everything
>>> as well.
>>>
>>> If you don't trust someone to even view AD why would you want to give
>>> them
>>> the right to shutdown a DC?
>>>
>>> Best Regards
>>> Joe Dunn
>>> MBCS, MCSE, MCTS, CCNA
>>>
>>>
>>> "southpaw" wrote:
>>>
>>>> Hi,
>>>>
>>>> I want to allow our remote IT support guy to logon to the DC and
>>>> perform a
>>>> shutdown if needed but not allow viewing AD or making any change on the
>>>> DC..
>>>> How do I set this up is there a particular group I can add the user.
>>>>
>>>> Win2008 RWDC
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>
>>
>
>
>
Re: Win2008 rights [message #161793 is a reply to message #161791] Wed, 07 October 2009 10:42 Go to previous messageGo to next message
Joe Dunn  is currently offline Joe Dunn
Messages: 36
Registered: July 2009
Member
You can't just have local administrator rights on a DC. There's no local
SAM database.

Best Regards
Joe Dunn
MBCS, MCSE, MCTS, CCNA


"Ace Fekay [MCT]" wrote:

> "southpaw" <southpaw@nospam.com> wrote in message
> news:O41wVF2RKHA.1232@TK2MSFTNGP05.phx.gbl...
>
> Southpaw, I'm curious,
>
> How is it currently setup this way with one of your forests? Is the user
> part of the domain's Domain Administrators group, or do they simply have
> local administrator rights on the server in order to allow them to perform
> server tasks, such as change the clock, restart, etc?
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit among
> responding engineers, and to help others benefit from your resolution.
>
> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
> Messaging
> Microsoft Certified Trainer
>
> For urgent issues, please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>
> > Understood but my manager wants it set up that way and was told is
> > currently setup in one of our Win 2003 forest that way but since I am
> > responsible to upgrading the DCs to Win2008 I thought I would post the
> > question how is this possible...
> >
> > thanks..
> >
> > "Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
> > news:62897382-0410-4ABF-94A3-6D46CA7FEE7E@microsoft.com...
> >>
> >> It's not possible. A user must have Administrator rights in the domain
> >> to
> >> shutdown a DC. Therefore they will have rights to view and change
> >> everything
> >> as well.
> >>
> >> If you don't trust someone to even view AD why would you want to give
> >> them
> >> the right to shutdown a DC?
> >>
> >> Best Regards
> >> Joe Dunn
> >> MBCS, MCSE, MCTS, CCNA
> >>
> >>
> >> "southpaw" wrote:
> >>
> >>> Hi,
> >>>
> >>> I want to allow our remote IT support guy to logon to the DC and
> >>> perform a
> >>> shutdown if needed but not allow viewing AD or making any change on the
> >>> DC..
> >>> How do I set this up is there a particular group I can add the user.
> >>>
> >>> Win2008 RWDC
> >>>
> >>> Thanks
> >>>
> >>>
> >>>
> >
> >
>
>
>
>
Re: Win2008 rights [message #161794 is a reply to message #161793] Wed, 07 October 2009 10:47 Go to previous messageGo to next message
southpaw  is currently offline southpaw  United States
Messages: 61
Registered: July 2009
Member
Joe,

My thoughts exactly .. I'm looking but don't see any indication how this is
setup.. Perhaps server operator group ? thoughts??


"Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
news:149DACAD-D116-4A18-8E0E-BE6808976C82@microsoft.com...
>
> You can't just have local administrator rights on a DC. There's no local
> SAM database.
>
> Best Regards
> Joe Dunn
> MBCS, MCSE, MCTS, CCNA
>
>
> "Ace Fekay [MCT]" wrote:
>
>> "southpaw" <southpaw@nospam.com> wrote in message
>> news:O41wVF2RKHA.1232@TK2MSFTNGP05.phx.gbl...
>>
>> Southpaw, I'm curious,
>>
>> How is it currently setup this way with one of your forests? Is the user
>> part of the domain's Domain Administrators group, or do they simply have
>> local administrator rights on the server in order to allow them to
>> perform
>> server tasks, such as change the clock, restart, etc?
>>
>>
>> --
>> Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Please reply back to the newsgroup or forum for collaboration benefit
>> among
>> responding engineers, and to help others benefit from your resolution.
>>
>> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
>> Messaging
>> Microsoft Certified Trainer
>>
>> For urgent issues, please contact Microsoft PSS directly. Please check
>> http://support.microsoft.com for regional support phone numbers.
>>
>> > Understood but my manager wants it set up that way and was told is
>> > currently setup in one of our Win 2003 forest that way but since I am
>> > responsible to upgrading the DCs to Win2008 I thought I would post the
>> > question how is this possible...
>> >
>> > thanks..
>> >
>> > "Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
>> > news:62897382-0410-4ABF-94A3-6D46CA7FEE7E@microsoft.com...
>> >>
>> >> It's not possible. A user must have Administrator rights in the
>> >> domain
>> >> to
>> >> shutdown a DC. Therefore they will have rights to view and change
>> >> everything
>> >> as well.
>> >>
>> >> If you don't trust someone to even view AD why would you want to give
>> >> them
>> >> the right to shutdown a DC?
>> >>
>> >> Best Regards
>> >> Joe Dunn
>> >> MBCS, MCSE, MCTS, CCNA
>> >>
>> >>
>> >> "southpaw" wrote:
>> >>
>> >>> Hi,
>> >>>
>> >>> I want to allow our remote IT support guy to logon to the DC and
>> >>> perform a
>> >>> shutdown if needed but not allow viewing AD or making any change on
>> >>> the
>> >>> DC..
>> >>> How do I set this up is there a particular group I can add the user.
>> >>>
>> >>> Win2008 RWDC
>> >>>
>> >>> Thanks
>> >>>
>> >>>
>> >>>
>> >
>> >
>>
>>
>>
>>
Re: Win2008 rights [message #161800 is a reply to message #161794] Wed, 07 October 2009 12:10 Go to previous messageGo to next message
Dave[2]  is currently offline Dave[2]
Messages: 10
Registered: September 2009
Junior Member
Yes, server and print operators have a right to logon locally and also shut
down the DC.

"southpaw" <southpaw@nospam.com> wrote in message
news:%23Xgsl32RKHA.1792@TK2MSFTNGP04.phx.gbl...
> Joe,
>
> My thoughts exactly .. I'm looking but don't see any indication how this
> is setup.. Perhaps server operator group ? thoughts??
>
>
> "Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
> news:149DACAD-D116-4A18-8E0E-BE6808976C82@microsoft.com...
>>
>> You can't just have local administrator rights on a DC. There's no local
>> SAM database.
>>
>> Best Regards
>> Joe Dunn
>> MBCS, MCSE, MCTS, CCNA
>>
>>
>> "Ace Fekay [MCT]" wrote:
>>
>>> "southpaw" <southpaw@nospam.com> wrote in message
>>> news:O41wVF2RKHA.1232@TK2MSFTNGP05.phx.gbl...
>>>
>>> Southpaw, I'm curious,
>>>
>>> How is it currently setup this way with one of your forests? Is the user
>>> part of the domain's Domain Administrators group, or do they simply have
>>> local administrator rights on the server in order to allow them to
>>> perform
>>> server tasks, such as change the clock, restart, etc?
>>>
>>>
>>> --
>>> Ace
>>>
>>> This posting is provided "AS-IS" with no warranties or guarantees and
>>> confers no rights.
>>>
>>> Please reply back to the newsgroup or forum for collaboration benefit
>>> among
>>> responding engineers, and to help others benefit from your resolution.
>>>
>>> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
>>> Messaging
>>> Microsoft Certified Trainer
>>>
>>> For urgent issues, please contact Microsoft PSS directly. Please check
>>> http://support.microsoft.com for regional support phone numbers.
>>>
>>> > Understood but my manager wants it set up that way and was told is
>>> > currently setup in one of our Win 2003 forest that way but since I am
>>> > responsible to upgrading the DCs to Win2008 I thought I would post the
>>> > question how is this possible...
>>> >
>>> > thanks..
>>> >
>>> > "Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
>>> > news:62897382-0410-4ABF-94A3-6D46CA7FEE7E@microsoft.com...
>>> >>
>>> >> It's not possible. A user must have Administrator rights in the
>>> >> domain
>>> >> to
>>> >> shutdown a DC. Therefore they will have rights to view and change
>>> >> everything
>>> >> as well.
>>> >>
>>> >> If you don't trust someone to even view AD why would you want to give
>>> >> them
>>> >> the right to shutdown a DC?
>>> >>
>>> >> Best Regards
>>> >> Joe Dunn
>>> >> MBCS, MCSE, MCTS, CCNA
>>> >>
>>> >>
>>> >> "southpaw" wrote:
>>> >>
>>> >>> Hi,
>>> >>>
>>> >>> I want to allow our remote IT support guy to logon to the DC and
>>> >>> perform a
>>> >>> shutdown if needed but not allow viewing AD or making any change on
>>> >>> the
>>> >>> DC..
>>> >>> How do I set this up is there a particular group I can add the user.
>>> >>>
>>> >>> Win2008 RWDC
>>> >>>
>>> >>> Thanks
>>> >>>
>>> >>>
>>> >>>
>>> >
>>> >
>>>
>>>
>>>
>>>
>
>
Re: Win2008 rights [message #161806 is a reply to message #161800] Wed, 07 October 2009 13:38 Go to previous messageGo to next message
southpaw  is currently offline southpaw  United States
Messages: 61
Registered: July 2009
Member
Ah. Bingo ! Did some checking and found remote IT is in the server operators
group. I can't believe the previous AD admin set it up this way. Correct me
if I wrong but if you are a member of the server operators group you have
the rights to elevate to Domain Admin privileges ?


"Dave" <Dave@live.com> wrote in message
news:eCOG2l3RKHA.4600@TK2MSFTNGP05.phx.gbl...
> Yes, server and print operators have a right to logon locally and also
> shut down the DC.
>
> "southpaw" <southpaw@nospam.com> wrote in message
> news:%23Xgsl32RKHA.1792@TK2MSFTNGP04.phx.gbl...
>> Joe,
>>
>> My thoughts exactly .. I'm looking but don't see any indication how this
>> is setup.. Perhaps server operator group ? thoughts??
>>
>>
>> "Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
>> news:149DACAD-D116-4A18-8E0E-BE6808976C82@microsoft.com...
>>>
>>> You can't just have local administrator rights on a DC. There's no
>>> local
>>> SAM database.
>>>
>>> Best Regards
>>> Joe Dunn
>>> MBCS, MCSE, MCTS, CCNA
>>>
>>>
>>> "Ace Fekay [MCT]" wrote:
>>>
>>>> "southpaw" <southpaw@nospam.com> wrote in message
>>>> news:O41wVF2RKHA.1232@TK2MSFTNGP05.phx.gbl...
>>>>
>>>> Southpaw, I'm curious,
>>>>
>>>> How is it currently setup this way with one of your forests? Is the
>>>> user
>>>> part of the domain's Domain Administrators group, or do they simply
>>>> have
>>>> local administrator rights on the server in order to allow them to
>>>> perform
>>>> server tasks, such as change the clock, restart, etc?
>>>>
>>>>
>>>> --
>>>> Ace
>>>>
>>>> This posting is provided "AS-IS" with no warranties or guarantees and
>>>> confers no rights.
>>>>
>>>> Please reply back to the newsgroup or forum for collaboration benefit
>>>> among
>>>> responding engineers, and to help others benefit from your resolution.
>>>>
>>>> Ace Fekay, MCT, MCTS 2008, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA
>>>> Messaging
>>>> Microsoft Certified Trainer
>>>>
>>>> For urgent issues, please contact Microsoft PSS directly. Please check
>>>> http://support.microsoft.com for regional support phone numbers.
>>>>
>>>> > Understood but my manager wants it set up that way and was told is
>>>> > currently setup in one of our Win 2003 forest that way but since I am
>>>> > responsible to upgrading the DCs to Win2008 I thought I would post
>>>> > the
>>>> > question how is this possible...
>>>> >
>>>> > thanks..
>>>> >
>>>> > "Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
>>>> > news:62897382-0410-4ABF-94A3-6D46CA7FEE7E@microsoft.com...
>>>> >>
>>>> >> It's not possible. A user must have Administrator rights in the
>>>> >> domain
>>>> >> to
>>>> >> shutdown a DC. Therefore they will have rights to view and change
>>>> >> everything
>>>> >> as well.
>>>> >>
>>>> >> If you don't trust someone to even view AD why would you want to
>>>> >> give
>>>> >> them
>>>> >> the right to shutdown a DC?
>>>> >>
>>>> >> Best Regards
>>>> >> Joe Dunn
>>>> >> MBCS, MCSE, MCTS, CCNA
>>>> >>
>>>> >>
>>>> >> "southpaw" wrote:
>>>> >>
>>>> >>> Hi,
>>>> >>>
>>>> >>> I want to allow our remote IT support guy to logon to the DC and
>>>> >>> perform a
>>>> >>> shutdown if needed but not allow viewing AD or making any change on
>>>> >>> the
>>>> >>> DC..
>>>> >>> How do I set this up is there a particular group I can add the
>>>> >>> user.
>>>> >>>
>>>> >>> Win2008 RWDC
>>>> >>>
>>>> >>> Thanks
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>>
>>
>>
>
>
Re: Win2008 rights [message #161820 is a reply to message #161806] Wed, 07 October 2009 21:32 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"southpaw" <southpaw@nospam.com> wrote in message
news:e4AbvW4RKHA.4028@TK2MSFTNGP05.phx.gbl...
> Ah. Bingo ! Did some checking and found remote IT is in the server
> operators group. I can't believe the previous AD admin set it up this way.
> Correct me if I wrong but if you are a member of the server operators
> group you have the rights to elevate to Domain Admin privileges ?
>

No, members of Server Operators do not have AD permissions to make any
changes in AD. Test it. Create a test account, put it in the Server
Operators group and logon to the DC. You can see they're limited with
functionality.

Ace
Re: Win2008 rights [message #161834 is a reply to message #161775] Thu, 08 October 2009 00:39 Go to previous messageGo to next message
meiweb  is currently offline meiweb  Germany
Messages: 2225
Registered: September 2009
Senior Member
Hello southpaw,

No, role separation is especially done for RODCs so that a site user can
do some really basic admin tasks.

As already mentioned, you can use the server operators security group, keep
in mind this allows the user to access ALL domain DCs.

Name: Server Operators
Description: A built-in group that exists only on domain controllers. By
default, the group has no members. Server Operators can log on to a server
interactively; create and delete network shares; start and stop services;
back up and restore files; format the hard disk of the computer; and shut
down the computer.

Also check this article about "Protected groups" which Server Operators belongs
to and the AdminSdHolder:
http://technet.microsoft.com/en-us/magazine/2009.09.sdadminh older.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thank Meinolf,
> Does Role separation also apply to RWDC ? I don't believe it
> does..Any
> idea how I can delegate the rights to perform logon and reboots only
> for
> RWDCs..
> "Meinolf Weber [MVP-DS]" <meiweb@(nospam)gmx.de> wrote in message
> news:6cb2911d71d78cc157ecf217983@msnews.microsoft.com...
>
>> Hello southpaw,
>>
>> Any user by default is able to view with AD UC.
>>
>> You can use a Administrator Role Separation on RODC in the branch
>> office:
>> http://technet.microsoft.com/en-us/library/cc753170(WS.10).aspx
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi,
>>>
>>> I want to allow our remote IT support guy to logon to the DC and
>>> perform a shutdown if needed but not allow viewing AD or making any
>>> change on the DC.. How do I set this up is there a particular group
>>> I can add the user.
>>>
>>> Win2008 RWDC
>>>
>>> Thanks
>>>
Re: Win2008 rights [message #161840 is a reply to message #161820] Thu, 08 October 2009 01:59 Go to previous messageGo to next message
Joe Dunn  is currently offline Joe Dunn
Messages: 36
Registered: July 2009
Member
Server Operators can view pretty much everything in AD as they will be
Authenticated Users once logged on. Your original post was to have users who
could not view AD.

There have also been many discussions in the past about how Server Operators
can elevate their rights, maybe not directly but using more subtle methods.

My opinion remains that only domain administrators should have access to
domain controllers.

Best Regards
Joe Dunn
MBCS, MCSE, MCTS, CCNA



"Ace Fekay [MCT]" wrote:

> "southpaw" <southpaw@nospam.com> wrote in message
> news:e4AbvW4RKHA.4028@TK2MSFTNGP05.phx.gbl...
> > Ah. Bingo ! Did some checking and found remote IT is in the server
> > operators group. I can't believe the previous AD admin set it up this way.
> > Correct me if I wrong but if you are a member of the server operators
> > group you have the rights to elevate to Domain Admin privileges ?
> >
>
> No, members of Server Operators do not have AD permissions to make any
> changes in AD. Test it. Create a test account, put it in the Server
> Operators group and logon to the DC. You can see they're limited with
> functionality.
>
> Ace
>
>
>
Re: Win2008 rights [message #161893 is a reply to message #161840] Thu, 08 October 2009 23:30 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Joe Dunn" <JoeDunn@discussions.microsoft.com> wrote in message
news:A933F4BE-AD9F-4E4E-91D5-81459AE60821@microsoft.com...
>
> Server Operators can view pretty much everything in AD as they will be
> Authenticated Users once logged on. Your original post was to have users
> who
> could not view AD.
>
> There have also been many discussions in the past about how Server
> Operators
> can elevate their rights, maybe not directly but using more subtle
> methods.
>
> My opinion remains that only domain administrators should have access to
> domain controllers.
>
> Best Regards
> Joe Dunn
> MBCS, MCSE, MCTS, CCNA

Looking around, I found a post by Joe Richards stating that a Server
Operator can change AD objects:
http://www.tech-archive.net/Archive/Windows/microsoft.public .windows.server.active_directory/2006-10/msg01123.html

However, a Server Operator can perform multiple tasks on the DC, but they
can't administer accounts. The following from Microsoft on Windows 2000
doesn't explicitly state this, but it does explicitly state the only
Administrators and Account operators can administer accounts. This didn't
change in the later releases.

Using Default Group Accounts (Windows 2000)
http://technet.microsoft.com/en-us/library/bb726982.aspx

However, as you and Richard stated in his post in the first link, I agree as
well, that no one other than a domain admin should touch a DC.

Ace
Re: Win2008 rights [message #162064 is a reply to message #161768] Wed, 14 October 2009 13:49 Go to previous message
SubstituteThisWithMyF  is currently offline SubstituteThisWithMyF  Netherlands
Messages: 85
Registered: October 2009
Member
every account can view AD whether or not logged to a DC

I do not recommend in having a NON-domain admin shutting down a DC.

but if you really have to, configure a user right to a user account or group
(preferred) to REMOTE shutdown the DC. Remember though....this will apply to
ALL DCs!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------ ------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------ ------------------------------
#################################################
#################################################
------------------------------------------------------------ ------------------------------

"southpaw" <southpaw@nospam.com> wrote in message
news:#5JoPJ1RKHA.4592@TK2MSFTNGP06.phx.gbl...
> Hi,
>
> I want to allow our remote IT support guy to logon to the DC and perform
> a shutdown if needed but not allow viewing AD or making any change on the
> DC.. How do I set this up is there a particular group I can add the user.
>
> Win2008 RWDC
>
> Thanks
>
>
> __________ Information from ESET Smart Security, version of virus
> signature database 4507 (20091014) __________
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
>
>

__________ Information from ESET Smart Security, version of virus signature database 4507 (20091014) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Previous Topic:Changing Schema Master
Next Topic:Is it possible to change the "extensionAttribute 1" label to other?
Goto Forum:
  


Current Time: Wed Jan 17 04:13:51 MST 2018

Total time taken to generate the page: 0.02356 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software