Joe Richards [MVP]
07-09-2005, 10:50 PM
You can not safely grant non-DAs to log onto Domain Controllers and update them.
The person who has the access has a multitude of methods to escalate their
privileges as high as Enterprise Admin.
Why is the local access necessary? Can you not use /console mode TS?
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
cosimo wrote:
> I've this problem:
> On a Windows Server 2003 Domain Controller (in a small network) is installed
> (beyond Active Direcory) a client/server software that the users must use for
> their work from their clients.
> The problem is that this software must be regularly updated on weekly/montly
> base and that is possible only by locally logon to the DC.
> I'd like to assign this task to a particular user but I don't want to join
> him/her to the Domain bult-in administrators group.
> I've tried to add this user to the Server Operators Group, but he/she can't
> perform the task because is denied.
> There is a solution (simple, please...) to resolve the question?
> Thanks in advance.
> Cosimo Mercuro
The person who has the access has a multitude of methods to escalate their
privileges as high as Enterprise Admin.
Why is the local access necessary? Can you not use /console mode TS?
--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
cosimo wrote:
> I've this problem:
> On a Windows Server 2003 Domain Controller (in a small network) is installed
> (beyond Active Direcory) a client/server software that the users must use for
> their work from their clients.
> The problem is that this software must be regularly updated on weekly/montly
> base and that is possible only by locally logon to the DC.
> I'd like to assign this task to a particular user but I don't want to join
> him/her to the Domain bult-in administrators group.
> I've tried to add this user to the Server Operators Group, but he/she can't
> perform the task because is denied.
> There is a solution (simple, please...) to resolve the question?
> Thanks in advance.
> Cosimo Mercuro