Sign in with
Sign up | Sign in
Your question

logon to DC without Admin rights

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
May 12, 2005 11:07:44 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I have a service provider that will be handeling software updates and service
pack installation. I have a secured root forest and would like to provide
security to the forest, hence I dont want to give these guys access to
dsa,dssite,and dnsmgmt.msc's. Is there a group or way to configure my dc's
to allow this userid to logon just for updates to server? I know this
functionality is not normal as most Admins trust the service provider that is
taking care of the day to day. However I really don't want to give them
access to these functions.

Side note:
I know about the default domain controller policy where you can add the user
to logon locally, but this doesn't give them enough access, to do what they
need to do.

One thought was to give them a local account on/in directory restore mode,
this would allow them to logon to the local server without the AD and have
admin rights to the local (per say) server. I was just uncertain if I could
update all necessary drivers and or service packs in this environment. ( as
it is basically safe mode with limited functionality ( no network support for
example )


Thanks in advance.

More about : logon admin rights

Anonymous
a b 8 Security
May 13, 2005 4:17:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The problem with allowing them to logon in AD Restore is that would give
them the ability to add themselves to the domain admins group per the link
below and logon to Recovery console.

http://www.petri.co.il/reset_domain_admin_password_in_w...

If you enable Software Update Services on your network, Windows Updates and
Service Packs can be installed AND approved automatically or any .msi
package can be published/assigned to users or assigned to computers which
will allow installation without administrator intervention. --- Steve


"Spence" <Spence@discussions.microsoft.com> wrote in message
news:8EF7A810-1EC1-40FB-88D6-C2A5F343331F@microsoft.com...
>I have a service provider that will be handeling software updates and
>service
> pack installation. I have a secured root forest and would like to provide
> security to the forest, hence I dont want to give these guys access to
> dsa,dssite,and dnsmgmt.msc's. Is there a group or way to configure my
> dc's
> to allow this userid to logon just for updates to server? I know this
> functionality is not normal as most Admins trust the service provider that
> is
> taking care of the day to day. However I really don't want to give them
> access to these functions.
>
> Side note:
> I know about the default domain controller policy where you can add the
> user
> to logon locally, but this doesn't give them enough access, to do what
> they
> need to do.
>
> One thought was to give them a local account on/in directory restore mode,
> this would allow them to logon to the local server without the AD and have
> admin rights to the local (per say) server. I was just uncertain if I
> could
> update all necessary drivers and or service packs in this environment. (
> as
> it is basically safe mode with limited functionality ( no network support
> for
> example )
>
>
> Thanks in advance.
Anonymous
a b 8 Security
May 13, 2005 4:51:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for the feedback but I know just as a rule, if you have physical
access to the server anything is possible. However I still need to enable
this sort of function on the DC's. I also am aware of the SUS at the local
level and domain level, unfortunately my organization will not allow this
type of service on the servers. Workstations different story but the servers
they want to have as much controller as possible over the root. I have seen
the trick that you referenced from petri's website pretty slick I must say
but none the less I still have the same problem to deal with. So what are
your thoughts about the directory restore mode option, do you think that this
would be acceptable for software updates/patches?
Thanks once again for the feedback.


"Steven L Umbach" wrote:

> The problem with allowing them to logon in AD Restore is that would give
> them the ability to add themselves to the domain admins group per the link
> below and logon to Recovery console.
>
> http://www.petri.co.il/reset_domain_admin_password_in_w...
>
> If you enable Software Update Services on your network, Windows Updates and
> Service Packs can be installed AND approved automatically or any .msi
> package can be published/assigned to users or assigned to computers which
> will allow installation without administrator intervention. --- Steve
>
>
> "Spence" <Spence@discussions.microsoft.com> wrote in message
> news:8EF7A810-1EC1-40FB-88D6-C2A5F343331F@microsoft.com...
> >I have a service provider that will be handeling software updates and
> >service
> > pack installation. I have a secured root forest and would like to provide
> > security to the forest, hence I dont want to give these guys access to
> > dsa,dssite,and dnsmgmt.msc's. Is there a group or way to configure my
> > dc's
> > to allow this userid to logon just for updates to server? I know this
> > functionality is not normal as most Admins trust the service provider that
> > is
> > taking care of the day to day. However I really don't want to give them
> > access to these functions.
> >
> > Side note:
> > I know about the default domain controller policy where you can add the
> > user
> > to logon locally, but this doesn't give them enough access, to do what
> > they
> > need to do.
> >
> > One thought was to give them a local account on/in directory restore mode,
> > this would allow them to logon to the local server without the AD and have
> > admin rights to the local (per say) server. I was just uncertain if I
> > could
> > update all necessary drivers and or service packs in this environment. (
> > as
> > it is basically safe mode with limited functionality ( no network support
> > for
> > example )
> >
> >
> > Thanks in advance.
>
>
>
Anonymous
a b 8 Security
May 13, 2005 4:05:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have never heard of or read of anyone taking that approach and can not
recommend it myself. I can't think of another solution other than make sure
these people are trustworthy and competent and you can enable auditing on
the domain controllers for things like account management and policy change
to try and track that they are not doing things that they are not supposed
to. --- Steve


"Spence" <Spence@discussions.microsoft.com> wrote in message
news:5EF5857E-1736-49DB-BD49-2EC79E48B7E4@microsoft.com...
> Thanks for the feedback but I know just as a rule, if you have physical
> access to the server anything is possible. However I still need to enable
> this sort of function on the DC's. I also am aware of the SUS at the
> local
> level and domain level, unfortunately my organization will not allow this
> type of service on the servers. Workstations different story but the
> servers
> they want to have as much controller as possible over the root. I have
> seen
> the trick that you referenced from petri's website pretty slick I must say
> but none the less I still have the same problem to deal with. So what are
> your thoughts about the directory restore mode option, do you think that
> this
> would be acceptable for software updates/patches?
> Thanks once again for the feedback.
>
>
> "Steven L Umbach" wrote:
>
>> The problem with allowing them to logon in AD Restore is that would give
>> them the ability to add themselves to the domain admins group per the
>> link
>> below and logon to Recovery console.
>>
>> http://www.petri.co.il/reset_domain_admin_password_in_w...
>>
>> If you enable Software Update Services on your network, Windows Updates
>> and
>> Service Packs can be installed AND approved automatically or any .msi
>> package can be published/assigned to users or assigned to computers which
>> will allow installation without administrator intervention. --- Steve
>>
>>
>> "Spence" <Spence@discussions.microsoft.com> wrote in message
>> news:8EF7A810-1EC1-40FB-88D6-C2A5F343331F@microsoft.com...
>> >I have a service provider that will be handeling software updates and
>> >service
>> > pack installation. I have a secured root forest and would like to
>> > provide
>> > security to the forest, hence I dont want to give these guys access to
>> > dsa,dssite,and dnsmgmt.msc's. Is there a group or way to configure my
>> > dc's
>> > to allow this userid to logon just for updates to server? I know this
>> > functionality is not normal as most Admins trust the service provider
>> > that
>> > is
>> > taking care of the day to day. However I really don't want to give
>> > them
>> > access to these functions.
>> >
>> > Side note:
>> > I know about the default domain controller policy where you can add the
>> > user
>> > to logon locally, but this doesn't give them enough access, to do what
>> > they
>> > need to do.
>> >
>> > One thought was to give them a local account on/in directory restore
>> > mode,
>> > this would allow them to logon to the local server without the AD and
>> > have
>> > admin rights to the local (per say) server. I was just uncertain if I
>> > could
>> > update all necessary drivers and or service packs in this environment.
>> > (
>> > as
>> > it is basically safe mode with limited functionality ( no network
>> > support
>> > for
>> > example )
>> >
>> >
>> > Thanks in advance.
>>
>>
>>
!