• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 581
  • Last Modified:

Access to DC without domain admin rights in windows 2003

Is there anyway that you can grant access to someone outside of a domain on a domain controller without giving them domain admin rights?
0
phcharland
Asked:
phcharland
  • 5
  • 4
  • 2
  • +3
1 Solution
 
sirbountyCommented:
Perhaps - would they have a domain account of 'any' kind?
Are you looking to give them permissions to modify directory object?
You might look into Delegation of Control, if so (right-click the domain to get at it)
0
 
LauraEHunterMVPCommented:
What type of access are you trying to allow?  Can you be more specific about what you are trying to accomplish?
0
 
egloneCommented:
if they can still use remote desktop, all you would need to do is create a local account on the dc for them and make sure that they know they have to change that option when they are logging into the system.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
cdnq8Commented:
I Agree with Eglone, just make a simple user having standard rights, make him a Remote desktop user, so that he can access the system or depends on you what rights and permission you want to grant him, but be specific to us that why you need him to access your Domain.

Taher
0
 
LauraEHunterMVPCommented:
That would work for a member server, but not for a DC. There are no local accounts on domain controllers, these are all removed when dcpromo is run.  (Go into compmgmt.msc on a DC if you don't believe me.  :-))

I think we need the OP to provide additional information before we can make an informed recommendation.
0
 
phcharlandAuthor Commented:
we have server in a remote location that an outside source needs to be able to manage. They cannot have any access beyond that server and no other rights on the domain. But since its a DC I dont know how to do that...
0
 
LauraEHunterMVPCommented:
Put simply, you can't.  There's no such thing as a local group on a domain controller, the only accounts that you can create are domain accounts.  If you make someone a member of the Administrators group on 1 DC, they are a member of the administrators group on -every- DC.

This gets marginally better in Longhorn, but in 2000 & 2003 AD you can't give someone administrative rights to just one DC without giving them rights to every DC, as well as to your entire Active Directory.

0
 
egloneCommented:
actually, simply put you can.  go into adu&c.  make a new user.  in their property page under the account tab, there is a button that says "logon to..." you can limit what computers they log on to there.  now as an admin, they would still have the ability to go in and change that themselves, but you would see that in event logs.  mvp needs a coffee break.
0
 
LauraEHunterMVPCommented:
I disagree with your solution, as it's unenforceable (as you yourself mentioned) and still hands that user the keys to the kingdom by making them an Administrator (or <insert name of group> member) on all DCs.  As workarounds go, I would deem that one sub-optimal at best.

(And there's no call for rudeness, really.)
0
 
czcdctCommented:
But eglone, your solution works for no longer than the 8 seconds it takes for the other guy to go and change his rights.
As for looking at the logs, you would have to monitor the logs using your solution and also if you did nothing in the first place.

Don't be rude to people, they are here of their own free will to bring you the benefit of their experience and on this one Laura is bang on the button.
0
 
egloneCommented:
I apologize for the comment made towards Laura, long morning and uncalled for.  However, I stand by my solution.  If you're going to let a third party manage your servers, you should be checking your logs irregardless of what rights you give them.  You should be checking your security logs whether you have a third party or not, that's just a SOP in the companies that I have worked for.  Honestly unless the person working on your machine already knows about how to do this, it's not very common knowledge that you can do this.  Third party management for a server is a sticky situation no matter how you go about it, especially on a DC.
0
 
LauraEHunterMVPCommented:
We'll have to agree to disagree, then.  I don't give third-party vendors admin rights to a DC, full stop, because there is no way to do so that can satisfy my security requirements.  Any workarounds like the one you describe are easily thwarted despite the best preventative measures one can take to the contrary. Auditin is reactive, not pro-active, and if someone has rights to a DC, they also have rights to muck with the audit logs to cover the trail of things they've done.

Ultimately I won't base a security decision on the premise of "Yeah, but nobody knows how to take advantage of that" because, while the third-party vendor may not know what an elevation of privilege attack is, the virus that they just downloaded onto their admin workstation (and thus onto my DC)...-does- know how to do that.

If you stand by your solution, that's your choice to make the recommendations that you see fit.  For myself and most of my peers in the AD consulting world, I wouldn't go that route for all the tea in Ceylon, China, and India combined.
0
 
egloneCommented:
I wouldn't give a third party admin access to my DC either, but the person who posted this made it sound necessary.  And if you can't trust your own third party with rights, you need to learn how to bring it in house.  For all practical purposes, all your domain admins can do this and you still need to audit your logs.  Still yet, we'll have to agree to disagree.
0
 
cdnq8Commented:
Hi i was taliking about a domain account and not a local user.
Taher
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 5
  • 4
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now