?
Solved

Access to DC without domain admin rights in windows 2003

Posted on 2007-04-04
14
Medium Priority
?
577 Views
Last Modified: 2008-06-01
Is there anyway that you can grant access to someone outside of a domain on a domain controller without giving them domain admin rights?
0
Comment
Question by:phcharland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +3
14 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 18853508
Perhaps - would they have a domain account of 'any' kind?
Are you looking to give them permissions to modify directory object?
You might look into Delegation of Control, if so (right-click the domain to get at it)
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18853593
What type of access are you trying to allow?  Can you be more specific about what you are trying to accomplish?
0
 
LVL 3

Expert Comment

by:eglone
ID: 18855783
if they can still use remote desktop, all you would need to do is create a local account on the dc for them and make sure that they know they have to change that option when they are logging into the system.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Expert Comment

by:cdnq8
ID: 18856262
I Agree with Eglone, just make a simple user having standard rights, make him a Remote desktop user, so that he can access the system or depends on you what rights and permission you want to grant him, but be specific to us that why you need him to access your Domain.

Taher
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18856587
That would work for a member server, but not for a DC. There are no local accounts on domain controllers, these are all removed when dcpromo is run.  (Go into compmgmt.msc on a DC if you don't believe me.  :-))

I think we need the OP to provide additional information before we can make an informed recommendation.
0
 

Author Comment

by:phcharland
ID: 18857367
we have server in a remote location that an outside source needs to be able to manage. They cannot have any access beyond that server and no other rights on the domain. But since its a DC I dont know how to do that...
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 1000 total points
ID: 18857401
Put simply, you can't.  There's no such thing as a local group on a domain controller, the only accounts that you can create are domain accounts.  If you make someone a member of the Administrators group on 1 DC, they are a member of the administrators group on -every- DC.

This gets marginally better in Longhorn, but in 2000 & 2003 AD you can't give someone administrative rights to just one DC without giving them rights to every DC, as well as to your entire Active Directory.

0
 
LVL 3

Expert Comment

by:eglone
ID: 18858880
actually, simply put you can.  go into adu&c.  make a new user.  in their property page under the account tab, there is a button that says "logon to..." you can limit what computers they log on to there.  now as an admin, they would still have the ability to go in and change that themselves, but you would see that in event logs.  mvp needs a coffee break.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18858950
I disagree with your solution, as it's unenforceable (as you yourself mentioned) and still hands that user the keys to the kingdom by making them an Administrator (or <insert name of group> member) on all DCs.  As workarounds go, I would deem that one sub-optimal at best.

(And there's no call for rudeness, really.)
0
 
LVL 15

Expert Comment

by:czcdct
ID: 18859004
But eglone, your solution works for no longer than the 8 seconds it takes for the other guy to go and change his rights.
As for looking at the logs, you would have to monitor the logs using your solution and also if you did nothing in the first place.

Don't be rude to people, they are here of their own free will to bring you the benefit of their experience and on this one Laura is bang on the button.
0
 
LVL 3

Expert Comment

by:eglone
ID: 18859298
I apologize for the comment made towards Laura, long morning and uncalled for.  However, I stand by my solution.  If you're going to let a third party manage your servers, you should be checking your logs irregardless of what rights you give them.  You should be checking your security logs whether you have a third party or not, that's just a SOP in the companies that I have worked for.  Honestly unless the person working on your machine already knows about how to do this, it's not very common knowledge that you can do this.  Third party management for a server is a sticky situation no matter how you go about it, especially on a DC.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18859450
We'll have to agree to disagree, then.  I don't give third-party vendors admin rights to a DC, full stop, because there is no way to do so that can satisfy my security requirements.  Any workarounds like the one you describe are easily thwarted despite the best preventative measures one can take to the contrary. Auditin is reactive, not pro-active, and if someone has rights to a DC, they also have rights to muck with the audit logs to cover the trail of things they've done.

Ultimately I won't base a security decision on the premise of "Yeah, but nobody knows how to take advantage of that" because, while the third-party vendor may not know what an elevation of privilege attack is, the virus that they just downloaded onto their admin workstation (and thus onto my DC)...-does- know how to do that.

If you stand by your solution, that's your choice to make the recommendations that you see fit.  For myself and most of my peers in the AD consulting world, I wouldn't go that route for all the tea in Ceylon, China, and India combined.
0
 
LVL 3

Expert Comment

by:eglone
ID: 18859603
I wouldn't give a third party admin access to my DC either, but the person who posted this made it sound necessary.  And if you can't trust your own third party with rights, you need to learn how to bring it in house.  For all practical purposes, all your domain admins can do this and you still need to audit your logs.  Still yet, we'll have to agree to disagree.
0
 
LVL 1

Expert Comment

by:cdnq8
ID: 18868890
Hi i was taliking about a domain account and not a local user.
Taher
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Here's a look at newsworthy articles and community happenings during the last month.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month12 days, 13 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question