logon to DC without Admin rights

Archived from groups: microsoft.public.win2000.security (More info?)

I have a service provider that will be handeling software updates and service
pack installation. I have a secured root forest and would like to provide
security to the forest, hence I dont want to give these guys access to
dsa,dssite,and dnsmgmt.msc's. Is there a group or way to configure my dc's
to allow this userid to logon just for updates to server? I know this
functionality is not normal as most Admins trust the service provider that is
taking care of the day to day. However I really don't want to give them
access to these functions.

Side note:
I know about the default domain controller policy where you can add the user
to logon locally, but this doesn't give them enough access, to do what they
need to do.

One thought was to give them a local account on/in directory restore mode,
this would allow them to logon to the local server without the AD and have
admin rights to the local (per say) server. I was just uncertain if I could
update all necessary drivers and or service packs in this environment. ( as
it is basically safe mode with limited functionality ( no network support for
example )


Thanks in advance.
3 answers Last reply
More about logon admin rights
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    The problem with allowing them to logon in AD Restore is that would give
    them the ability to add themselves to the domain admins group per the link
    below and logon to Recovery console.

    http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm

    If you enable Software Update Services on your network, Windows Updates and
    Service Packs can be installed AND approved automatically or any .msi
    package can be published/assigned to users or assigned to computers which
    will allow installation without administrator intervention. --- Steve


    "Spence" <Spence@discussions.microsoft.com> wrote in message
    news:8EF7A810-1EC1-40FB-88D6-C2A5F343331F@microsoft.com...
    >I have a service provider that will be handeling software updates and
    >service
    > pack installation. I have a secured root forest and would like to provide
    > security to the forest, hence I dont want to give these guys access to
    > dsa,dssite,and dnsmgmt.msc's. Is there a group or way to configure my
    > dc's
    > to allow this userid to logon just for updates to server? I know this
    > functionality is not normal as most Admins trust the service provider that
    > is
    > taking care of the day to day. However I really don't want to give them
    > access to these functions.
    >
    > Side note:
    > I know about the default domain controller policy where you can add the
    > user
    > to logon locally, but this doesn't give them enough access, to do what
    > they
    > need to do.
    >
    > One thought was to give them a local account on/in directory restore mode,
    > this would allow them to logon to the local server without the AD and have
    > admin rights to the local (per say) server. I was just uncertain if I
    > could
    > update all necessary drivers and or service packs in this environment. (
    > as
    > it is basically safe mode with limited functionality ( no network support
    > for
    > example )
    >
    >
    > Thanks in advance.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks for the feedback but I know just as a rule, if you have physical
    access to the server anything is possible. However I still need to enable
    this sort of function on the DC's. I also am aware of the SUS at the local
    level and domain level, unfortunately my organization will not allow this
    type of service on the servers. Workstations different story but the servers
    they want to have as much controller as possible over the root. I have seen
    the trick that you referenced from petri's website pretty slick I must say
    but none the less I still have the same problem to deal with. So what are
    your thoughts about the directory restore mode option, do you think that this
    would be acceptable for software updates/patches?
    Thanks once again for the feedback.


    "Steven L Umbach" wrote:

    > The problem with allowing them to logon in AD Restore is that would give
    > them the ability to add themselves to the domain admins group per the link
    > below and logon to Recovery console.
    >
    > http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm
    >
    > If you enable Software Update Services on your network, Windows Updates and
    > Service Packs can be installed AND approved automatically or any .msi
    > package can be published/assigned to users or assigned to computers which
    > will allow installation without administrator intervention. --- Steve
    >
    >
    > "Spence" <Spence@discussions.microsoft.com> wrote in message
    > news:8EF7A810-1EC1-40FB-88D6-C2A5F343331F@microsoft.com...
    > >I have a service provider that will be handeling software updates and
    > >service
    > > pack installation. I have a secured root forest and would like to provide
    > > security to the forest, hence I dont want to give these guys access to
    > > dsa,dssite,and dnsmgmt.msc's. Is there a group or way to configure my
    > > dc's
    > > to allow this userid to logon just for updates to server? I know this
    > > functionality is not normal as most Admins trust the service provider that
    > > is
    > > taking care of the day to day. However I really don't want to give them
    > > access to these functions.
    > >
    > > Side note:
    > > I know about the default domain controller policy where you can add the
    > > user
    > > to logon locally, but this doesn't give them enough access, to do what
    > > they
    > > need to do.
    > >
    > > One thought was to give them a local account on/in directory restore mode,
    > > this would allow them to logon to the local server without the AD and have
    > > admin rights to the local (per say) server. I was just uncertain if I
    > > could
    > > update all necessary drivers and or service packs in this environment. (
    > > as
    > > it is basically safe mode with limited functionality ( no network support
    > > for
    > > example )
    > >
    > >
    > > Thanks in advance.
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    I have never heard of or read of anyone taking that approach and can not
    recommend it myself. I can't think of another solution other than make sure
    these people are trustworthy and competent and you can enable auditing on
    the domain controllers for things like account management and policy change
    to try and track that they are not doing things that they are not supposed
    to. --- Steve


    "Spence" <Spence@discussions.microsoft.com> wrote in message
    news:5EF5857E-1736-49DB-BD49-2EC79E48B7E4@microsoft.com...
    > Thanks for the feedback but I know just as a rule, if you have physical
    > access to the server anything is possible. However I still need to enable
    > this sort of function on the DC's. I also am aware of the SUS at the
    > local
    > level and domain level, unfortunately my organization will not allow this
    > type of service on the servers. Workstations different story but the
    > servers
    > they want to have as much controller as possible over the root. I have
    > seen
    > the trick that you referenced from petri's website pretty slick I must say
    > but none the less I still have the same problem to deal with. So what are
    > your thoughts about the directory restore mode option, do you think that
    > this
    > would be acceptable for software updates/patches?
    > Thanks once again for the feedback.
    >
    >
    > "Steven L Umbach" wrote:
    >
    >> The problem with allowing them to logon in AD Restore is that would give
    >> them the ability to add themselves to the domain admins group per the
    >> link
    >> below and logon to Recovery console.
    >>
    >> http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm
    >>
    >> If you enable Software Update Services on your network, Windows Updates
    >> and
    >> Service Packs can be installed AND approved automatically or any .msi
    >> package can be published/assigned to users or assigned to computers which
    >> will allow installation without administrator intervention. --- Steve
    >>
    >>
    >> "Spence" <Spence@discussions.microsoft.com> wrote in message
    >> news:8EF7A810-1EC1-40FB-88D6-C2A5F343331F@microsoft.com...
    >> >I have a service provider that will be handeling software updates and
    >> >service
    >> > pack installation. I have a secured root forest and would like to
    >> > provide
    >> > security to the forest, hence I dont want to give these guys access to
    >> > dsa,dssite,and dnsmgmt.msc's. Is there a group or way to configure my
    >> > dc's
    >> > to allow this userid to logon just for updates to server? I know this
    >> > functionality is not normal as most Admins trust the service provider
    >> > that
    >> > is
    >> > taking care of the day to day. However I really don't want to give
    >> > them
    >> > access to these functions.
    >> >
    >> > Side note:
    >> > I know about the default domain controller policy where you can add the
    >> > user
    >> > to logon locally, but this doesn't give them enough access, to do what
    >> > they
    >> > need to do.
    >> >
    >> > One thought was to give them a local account on/in directory restore
    >> > mode,
    >> > this would allow them to logon to the local server without the AD and
    >> > have
    >> > admin rights to the local (per say) server. I was just uncertain if I
    >> > could
    >> > update all necessary drivers and or service packs in this environment.
    >> > (
    >> > as
    >> > it is basically safe mode with limited functionality ( no network
    >> > support
    >> > for
    >> > example )
    >> >
    >> >
    >> > Thanks in advance.
    >>
    >>
    >>
Ask a new question

Read More

Security Windows