Delegation Rights for Server Operator
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.active_directory (More info?)
Windows 2003 Single Domain
I am currently delegating authority for our Computer Operations team. If I
explain what I have done so far, hopefully someone can fill in the pieces..
I have created a global group called Comp_Ops, I have then ran a script
which has added this global group to every Member Servers local
Administrators group.
I have also delegated Create/Write/Read permissions on Account, Computer,
Group, User, Shared Folder and Printer Objects on an OU within the domain.
At the moment, it meets our requirements for member servers and also when
they are on cover, they can modify group memberships, reset passwords etc.
The next bit is that we still have a number of DC's which act as File &
Print Servers, which we will eventually demote but for the time being, they
need access to so I was thinking about adding them to the Builtin Server
Operators group to provide them access so they can check event logs etc.
The question I have is concerning the AdminsSDHolder process...from my
understanding it's a process which runs every 1hr and resets the ACL's on the
User Objects belonging to the builtin groups
Does this mean that my plan to add them to the Builtin Server Operators
group would reset the work that I have already done?
If not, what else can I do? I don't want them to have Domain Admin
privileges. It's not my preferred option to let them logon to the DC's at all
but management wants them to have access to these DC F&PS until they are
demoted but this could be longer than 6 months because of the politics going
on.
Any assistance would be great.
Windows 2003 Single Domain
I am currently delegating authority for our Computer Operations team. If I
explain what I have done so far, hopefully someone can fill in the pieces..
I have created a global group called Comp_Ops, I have then ran a script
which has added this global group to every Member Servers local
Administrators group.
I have also delegated Create/Write/Read permissions on Account, Computer,
Group, User, Shared Folder and Printer Objects on an OU within the domain.
At the moment, it meets our requirements for member servers and also when
they are on cover, they can modify group memberships, reset passwords etc.
The next bit is that we still have a number of DC's which act as File &
Print Servers, which we will eventually demote but for the time being, they
need access to so I was thinking about adding them to the Builtin Server
Operators group to provide them access so they can check event logs etc.
The question I have is concerning the AdminsSDHolder process...from my
understanding it's a process which runs every 1hr and resets the ACL's on the
User Objects belonging to the builtin groups
Does this mean that my plan to add them to the Builtin Server Operators
group would reset the work that I have already done?
If not, what else can I do? I don't want them to have Domain Admin
privileges. It's not my preferred option to let them logon to the DC's at all
but management wants them to have access to these DC F&PS until they are
demoted but this could be longer than 6 months because of the politics going
on.
Any assistance would be great.
More about : delegation rights server operator
Archived from groups: microsoft.public.win2000.active_directory (More info?)
adminSDHolder only resets the permissions on the ACL of the user object that
is protected.
-- http://www.msresource.net/content/view/38/46/
You can add additional permissions to the adminSDHolder object if you wish.
That is, you can, if you so wish, allow a specific, trusted group write
access to the protected groups.
Also, there are some security risks in making a user an server operator. A
savy user could escalate themselves...
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
adminSDHolder only resets the permissions on the ACL of the user object that
is protected.
-- http://www.msresource.net/content/view/38/46/
You can add additional permissions to the adminSDHolder object if you wish.
That is, you can, if you so wish, allow a specific, trusted group write
access to the protected groups.
Also, there are some security risks in making a user an server operator. A
savy user could escalate themselves...
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
Archived from groups: microsoft.public.win2000.active_directory (More info?)
ah, thanks for clearing that. So basically the GG I will use can have
whatever delegated rights it needs and be a member of the Server Ops group
but if I try and change the Server Operators rights, they will be reset every
1hr via the AdminSDHolder process...?
I understand the risk of letting a user become a member of the Server Ops
group, but these users are _Server Support_ who provide 24hr monitoring and
as we currently use branch office DC's as File & Print, they will need access
until we reduce the amount of DC's on the domain.
Cheers for your help, cool website by the way..
"ptwilliams" wrote:
> adminSDHolder only resets the permissions on the ACL of the user object that
> is protected.
> -- http://www.msresource.net/content/view/38/46/
>
> You can add additional permissions to the adminSDHolder object if you wish.
> That is, you can, if you so wish, allow a specific, trusted group write
> access to the protected groups.
>
> Also, there are some security risks in making a user an server operator. A
> savy user could escalate themselves...
>
> --
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
ah, thanks for clearing that. So basically the GG I will use can have
whatever delegated rights it needs and be a member of the Server Ops group
but if I try and change the Server Operators rights, they will be reset every
1hr via the AdminSDHolder process...?
I understand the risk of letting a user become a member of the Server Ops
group, but these users are _Server Support_ who provide 24hr monitoring and
as we currently use branch office DC's as File & Print, they will need access
until we reduce the amount of DC's on the domain.
Cheers for your help, cool website by the way..
"ptwilliams" wrote:
> adminSDHolder only resets the permissions on the ACL of the user object that
> is protected.
> -- http://www.msresource.net/content/view/38/46/
>
> You can add additional permissions to the adminSDHolder object if you wish.
> That is, you can, if you so wish, allow a specific, trusted group write
> access to the protected groups.
>
> Also, there are some security risks in making a user an server operator. A
> savy user could escalate themselves...
>
> --
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
Archived from groups: microsoft.public.win2000.active_directory (More info?)
ah, thanks for clearing that. So basically the GG I will use can have
whatever delegated rights it needs and be a member of the Server Ops group
but if I try and change the Server Operators rights, they will be reset every
1hr via the AdminSDHolder process...?
I understand the risk of letting a user become a member of the Server Ops
group, but these users are _Server Support_ who provide 24hr monitoring and
as we currently use branch office DC's as File & Print, they will need access
until we reduce the amount of DC's on the domain.
Cheers for your help, cool website by the way..
"ptwilliams" wrote:
> adminSDHolder only resets the permissions on the ACL of the user object that
> is protected.
> -- http://www.msresource.net/content/view/38/46/
>
> You can add additional permissions to the adminSDHolder object if you wish.
> That is, you can, if you so wish, allow a specific, trusted group write
> access to the protected groups.
>
> Also, there are some security risks in making a user an server operator. A
> savy user could escalate themselves...
>
> --
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
ah, thanks for clearing that. So basically the GG I will use can have
whatever delegated rights it needs and be a member of the Server Ops group
but if I try and change the Server Operators rights, they will be reset every
1hr via the AdminSDHolder process...?
I understand the risk of letting a user become a member of the Server Ops
group, but these users are _Server Support_ who provide 24hr monitoring and
as we currently use branch office DC's as File & Print, they will need access
until we reduce the amount of DC's on the domain.
Cheers for your help, cool website by the way..
"ptwilliams" wrote:
> adminSDHolder only resets the permissions on the ACL of the user object that
> is protected.
> -- http://www.msresource.net/content/view/38/46/
>
> You can add additional permissions to the adminSDHolder object if you wish.
> That is, you can, if you so wish, allow a specific, trusted group write
> access to the protected groups.
>
> Also, there are some security risks in making a user an server operator. A
> savy user could escalate themselves...
>
> --
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
Related ressources
- Delegation Rights ? - Forum
- OU Delegation - Forum
- Delegation Wizard - Forum
- trouble with delegating unlock rights - Forum
- Rights -Account Operators - Forum
Archived from groups: microsoft.public.win2000.active_directory (More info?)
ah, thanks for clearing that. So basically the GG I will use can have
whatever delegated rights it needs and be a member of the Server Ops group
but if I try and change the Server Operators rights, they will be reset every
1hr via the AdminSDHolder process...?
I understand the risk of letting a user become a member of the Server Ops
group, but these users are _Server Support_ who provide 24hr monitoring and
as we currently use branch office DC's as File & Print, they will need access
until we reduce the amount of DC's on the domain.
Cheers for your help, cool website by the way..
"ptwilliams" wrote:
> adminSDHolder only resets the permissions on the ACL of the user object that
> is protected.
> -- http://www.msresource.net/content/view/38/46/
>
> You can add additional permissions to the adminSDHolder object if you wish.
> That is, you can, if you so wish, allow a specific, trusted group write
> access to the protected groups.
>
> Also, there are some security risks in making a user an server operator. A
> savy user could escalate themselves...
>
> --
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
ah, thanks for clearing that. So basically the GG I will use can have
whatever delegated rights it needs and be a member of the Server Ops group
but if I try and change the Server Operators rights, they will be reset every
1hr via the AdminSDHolder process...?
I understand the risk of letting a user become a member of the Server Ops
group, but these users are _Server Support_ who provide 24hr monitoring and
as we currently use branch office DC's as File & Print, they will need access
until we reduce the amount of DC's on the domain.
Cheers for your help, cool website by the way..
"ptwilliams" wrote:
> adminSDHolder only resets the permissions on the ACL of the user object that
> is protected.
> -- http://www.msresource.net/content/view/38/46/
>
> You can add additional permissions to the adminSDHolder object if you wish.
> That is, you can, if you so wish, allow a specific, trusted group write
> access to the protected groups.
>
> Also, there are some security risks in making a user an server operator. A
> savy user could escalate themselves...
>
> --
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
Archived from groups: microsoft.public.win2000.active_directory (More info?)
ah, thanks for clearing that. So basically the GG I will use can have
whatever delegated rights it needs and be a member of the Server Ops group
but if I try and change the Server Operators rights, they will be reset every
1hr via the AdminSDHolder process...?
I understand the risk of letting a user become a member of the Server Ops
group, but these users are _Server Support_ who provide 24hr monitoring and
as we currently use branch office DC's as File & Print, they will need access
until we reduce the amount of DC's on the domain.
"ptwilliams" wrote:
> adminSDHolder only resets the permissions on the ACL of the user object that
> is protected.
> -- http://www.msresource.net/content/view/38/46/
>
> You can add additional permissions to the adminSDHolder object if you wish.
> That is, you can, if you so wish, allow a specific, trusted group write
> access to the protected groups.
>
> Also, there are some security risks in making a user an server operator. A
> savy user could escalate themselves...
>
> --
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
ah, thanks for clearing that. So basically the GG I will use can have
whatever delegated rights it needs and be a member of the Server Ops group
but if I try and change the Server Operators rights, they will be reset every
1hr via the AdminSDHolder process...?
I understand the risk of letting a user become a member of the Server Ops
group, but these users are _Server Support_ who provide 24hr monitoring and
as we currently use branch office DC's as File & Print, they will need access
until we reduce the amount of DC's on the domain.
"ptwilliams" wrote:
> adminSDHolder only resets the permissions on the ACL of the user object that
> is protected.
> -- http://www.msresource.net/content/view/38/46/
>
> You can add additional permissions to the adminSDHolder object if you wish.
> That is, you can, if you so wish, allow a specific, trusted group write
> access to the protected groups.
>
> Also, there are some security risks in making a user an server operator. A
> savy user could escalate themselves...
>
> --
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
Archived from groups: microsoft.public.win2000.active_directory (More info?)
> ah, thanks for clearing that. So basically the GG I will use can have
> whatever delegated rights it needs and be a member of the Server Ops group
> but if I try and change the Server Operators rights, they will be reset
> every 1hr via the AdminSDHolder process...?
I don't quite follow you here. If you add a user to the Sever Operators
group, which is protected, and delegate permissions to the OU in which this
object resides, after an hour this object will not have those permissions.
adminSDHolder doesn't inherit. But we're only talking about the permissions
on the members of the protected groups. This means that a delegated user
cannot change attributes and permission on a user that is a member of a
protected group. However, if you grant permissions to make changes to other
non-protected group users that is fine.
If you do want the users to be able to update protected group members, you
need to set the appropriate permissions on the adminSDHolder object.
Hope that clarifies things a bit. Truth be told, I think you got it first
time -I just didn't get your follow-up post ;-)
> I understand the risk of letting a user become a member of the Server Ops
> group, but these users are _Server Support_ who provide 24hr monitoring
> and as we currently use branch office DC's as File & Print, they will need
> access until we reduce the amount of DC's on the domain.
Yeah, tell me about it. I'm in the same boat as you for a number of
customers...
> Cheers for your help, cool website by the way..
No problem, and thanks very much!
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
> ah, thanks for clearing that. So basically the GG I will use can have
> whatever delegated rights it needs and be a member of the Server Ops group
> but if I try and change the Server Operators rights, they will be reset
> every 1hr via the AdminSDHolder process...?
I don't quite follow you here. If you add a user to the Sever Operators
group, which is protected, and delegate permissions to the OU in which this
object resides, after an hour this object will not have those permissions.
adminSDHolder doesn't inherit. But we're only talking about the permissions
on the members of the protected groups. This means that a delegated user
cannot change attributes and permission on a user that is a member of a
protected group. However, if you grant permissions to make changes to other
non-protected group users that is fine.
If you do want the users to be able to update protected group members, you
need to set the appropriate permissions on the adminSDHolder object.
Hope that clarifies things a bit. Truth be told, I think you got it first
time -I just didn't get your follow-up post ;-)
> I understand the risk of letting a user become a member of the Server Ops
> group, but these users are _Server Support_ who provide 24hr monitoring
> and as we currently use branch office DC's as File & Print, they will need
> access until we reduce the amount of DC's on the domain.
Yeah, tell me about it. I'm in the same boat as you for a number of
customers...
> Cheers for your help, cool website by the way..
No problem, and thanks very much!
--
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
Related ressources:
- ForumDHCP Delegation
- ForumNew delegation to UNIX continued
- ForumCannot delete zone delegation after child domain removal
- ForumDelegated rights
- ForumSubdomain and delegation
- ForumDelegation Control
- ForumDelegation
- Forumprinter admin and delegation
- ForumActive Directory DDNS security delegation question
- ForumDelegation
- ForumDelegate Mailbox Rights
- ForumDelegating Administrative rights to OU's
- ForumDelegate rights to unlock accounts
- ForumParallel and com ports not appearing in device manager
- ForumAdding a Windows 2003 Server (DC) to a Windows 2000 Domain..
- More resources
!
