Re: User's rights on domain controller to perform some administrative

You can not safely grant non-DAs to log onto Domain Controllers and update them.
The person who has the access has a multitude of methods to escalate their
privileges as high as Enterprise Admin.

Why is the local access necessary? Can you not use /console mode TS?

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


cosimo wrote:
> I've this problem:
> On a Windows Server 2003 Domain Controller (in a small network) is installed
> (beyond Active Direcory) a client/server software that the users must use for
> their work from their clients.
> The problem is that this software must be regularly updated on weekly/montly
> base and that is possible only by locally logon to the DC.
> I'd like to assign this task to a particular user but I don't want to join
> him/her to the Domain bult-in administrators group.
> I've tried to add this user to the Server Operators Group, but he/she can't
> perform the task because is denied.
> There is a solution (simple, please...) to resolve the question?
> Thanks in advance.
> Cosimo Mercuro

Not sure I see how use of TS will curtail the ability to
effect a privilege escalation . . .

--
Roger
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:uv1$S6mVFHA.2616@TK2MSFTNGP14.phx.gbl...
> You can not safely grant non-DAs to log onto Domain Controllers and update
them.
> The person who has the access has a multitude of methods to escalate their
> privileges as high as Enterprise Admin.
>
> Why is the local access necessary? Can you not use /console mode TS?
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> cosimo wrote:
> > I've this problem:
> > On a Windows Server 2003 Domain Controller (in a small network) is
installed
> > (beyond Active Direcory) a client/server software that the users must
use for
> > their work from their clients.
> > The problem is that this software must be regularly updated on
weekly/montly
> > base and that is possible only by locally logon to the DC.
> > I'd like to assign this task to a particular user but I don't want to
join
> > him/her to the Domain bult-in administrators group.
> > I've tried to add this user to the Server Operators Group, but he/she
can't
> > perform the task because is denied.
> > There is a solution (simple, please...) to resolve the question?
> > Thanks in advance.
> > Cosimo Mercuro

I was thinking someone that is already a DA in a remote site can console TS into
the machine and do the update, not do it locally.

I never give anyone but DA's access to interactively log into or modify DCs.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Roger Abell wrote:
> Not sure I see how use of TS will curtail the ability to
> effect a privilege escalation . . .
>