Delegation Rights for Server Operator

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Windows 2003 Single Domain

I am currently delegating authority for our Computer Operations team. If I
explain what I have done so far, hopefully someone can fill in the pieces..

I have created a global group called Comp_Ops, I have then ran a script
which has added this global group to every Member Servers local
Administrators group.

I have also delegated Create/Write/Read permissions on Account, Computer,
Group, User, Shared Folder and Printer Objects on an OU within the domain.

At the moment, it meets our requirements for member servers and also when
they are on cover, they can modify group memberships, reset passwords etc.

The next bit is that we still have a number of DC's which act as File &
Print Servers, which we will eventually demote but for the time being, they
need access to so I was thinking about adding them to the Builtin Server
Operators group to provide them access so they can check event logs etc.

The question I have is concerning the AdminsSDHolder process...from my
understanding it's a process which runs every 1hr and resets the ACL's on the
User Objects belonging to the builtin groups

Does this mean that my plan to add them to the Builtin Server Operators
group would reset the work that I have already done?

If not, what else can I do? I don't want them to have Domain Admin
privileges. It's not my preferred option to let them logon to the DC's at all
but management wants them to have access to these DC F&PS until they are
demoted but this could be longer than 6 months because of the politics going
on.

Any assistance would be great.
6 answers Last reply
More about delegation rights server operator
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    adminSDHolder only resets the permissions on the ACL of the user object that
    is protected.
    -- http://www.msresource.net/content/view/38/46/

    You can add additional permissions to the adminSDHolder object if you wish.
    That is, you can, if you so wish, allow a specific, trusted group write
    access to the protected groups.

    Also, there are some security risks in making a user an server operator. A
    savy user could escalate themselves...

    --
    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    ah, thanks for clearing that. So basically the GG I will use can have
    whatever delegated rights it needs and be a member of the Server Ops group
    but if I try and change the Server Operators rights, they will be reset every
    1hr via the AdminSDHolder process...?

    I understand the risk of letting a user become a member of the Server Ops
    group, but these users are _Server Support_ who provide 24hr monitoring and
    as we currently use branch office DC's as File & Print, they will need access
    until we reduce the amount of DC's on the domain.

    Cheers for your help, cool website by the way..

    "ptwilliams" wrote:

    > adminSDHolder only resets the permissions on the ACL of the user object that
    > is protected.
    > -- http://www.msresource.net/content/view/38/46/
    >
    > You can add additional permissions to the adminSDHolder object if you wish.
    > That is, you can, if you so wish, allow a specific, trusted group write
    > access to the protected groups.
    >
    > Also, there are some security risks in making a user an server operator. A
    > savy user could escalate themselves...
    >
    > --
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    ah, thanks for clearing that. So basically the GG I will use can have
    whatever delegated rights it needs and be a member of the Server Ops group
    but if I try and change the Server Operators rights, they will be reset every
    1hr via the AdminSDHolder process...?

    I understand the risk of letting a user become a member of the Server Ops
    group, but these users are _Server Support_ who provide 24hr monitoring and
    as we currently use branch office DC's as File & Print, they will need access
    until we reduce the amount of DC's on the domain.


    Cheers for your help, cool website by the way..

    "ptwilliams" wrote:

    > adminSDHolder only resets the permissions on the ACL of the user object that
    > is protected.
    > -- http://www.msresource.net/content/view/38/46/
    >
    > You can add additional permissions to the adminSDHolder object if you wish.
    > That is, you can, if you so wish, allow a specific, trusted group write
    > access to the protected groups.
    >
    > Also, there are some security risks in making a user an server operator. A
    > savy user could escalate themselves...
    >
    > --
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    ah, thanks for clearing that. So basically the GG I will use can have
    whatever delegated rights it needs and be a member of the Server Ops group
    but if I try and change the Server Operators rights, they will be reset every
    1hr via the AdminSDHolder process...?

    I understand the risk of letting a user become a member of the Server Ops
    group, but these users are _Server Support_ who provide 24hr monitoring and
    as we currently use branch office DC's as File & Print, they will need access
    until we reduce the amount of DC's on the domain.


    Cheers for your help, cool website by the way..

    "ptwilliams" wrote:

    > adminSDHolder only resets the permissions on the ACL of the user object that
    > is protected.
    > -- http://www.msresource.net/content/view/38/46/
    >
    > You can add additional permissions to the adminSDHolder object if you wish.
    > That is, you can, if you so wish, allow a specific, trusted group write
    > access to the protected groups.
    >
    > Also, there are some security risks in making a user an server operator. A
    > savy user could escalate themselves...
    >
    > --
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    ah, thanks for clearing that. So basically the GG I will use can have
    whatever delegated rights it needs and be a member of the Server Ops group
    but if I try and change the Server Operators rights, they will be reset every
    1hr via the AdminSDHolder process...?

    I understand the risk of letting a user become a member of the Server Ops
    group, but these users are _Server Support_ who provide 24hr monitoring and
    as we currently use branch office DC's as File & Print, they will need access
    until we reduce the amount of DC's on the domain.

    "ptwilliams" wrote:

    > adminSDHolder only resets the permissions on the ACL of the user object that
    > is protected.
    > -- http://www.msresource.net/content/view/38/46/
    >
    > You can add additional permissions to the adminSDHolder object if you wish.
    > That is, you can, if you so wish, allow a specific, trusted group write
    > access to the protected groups.
    >
    > Also, there are some security risks in making a user an server operator. A
    > savy user could escalate themselves...
    >
    > --
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    > ah, thanks for clearing that. So basically the GG I will use can have
    > whatever delegated rights it needs and be a member of the Server Ops group
    > but if I try and change the Server Operators rights, they will be reset
    > every 1hr via the AdminSDHolder process...?

    I don't quite follow you here. If you add a user to the Sever Operators
    group, which is protected, and delegate permissions to the OU in which this
    object resides, after an hour this object will not have those permissions.
    adminSDHolder doesn't inherit. But we're only talking about the permissions
    on the members of the protected groups. This means that a delegated user
    cannot change attributes and permission on a user that is a member of a
    protected group. However, if you grant permissions to make changes to other
    non-protected group users that is fine.

    If you do want the users to be able to update protected group members, you
    need to set the appropriate permissions on the adminSDHolder object.

    Hope that clarifies things a bit. Truth be told, I think you got it first
    time -I just didn't get your follow-up post ;-)


    > I understand the risk of letting a user become a member of the Server Ops
    > group, but these users are _Server Support_ who provide 24hr monitoring
    > and as we currently use branch office DC's as File & Print, they will need
    > access until we reduce the amount of DC's on the domain.

    Yeah, tell me about it. I'm in the same boat as you for a number of
    customers...


    > Cheers for your help, cool website by the way..

    No problem, and thanks very much!


    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/
Ask a new question

Read More

Windows Server 2003 Servers Active Directory Windows