Solved

Access to DC without domain admin rights in windows 2003

Posted on 2007-04-04
14
569 Views
Last Modified: 2008-06-01
Is there anyway that you can grant access to someone outside of a domain on a domain controller without giving them domain admin rights?
0
Comment
Question by:phcharland
  • 5
  • 4
  • 2
  • +3
14 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 18853508
Perhaps - would they have a domain account of 'any' kind?
Are you looking to give them permissions to modify directory object?
You might look into Delegation of Control, if so (right-click the domain to get at it)
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18853593
What type of access are you trying to allow?  Can you be more specific about what you are trying to accomplish?
0
 
LVL 3

Expert Comment

by:eglone
ID: 18855783
if they can still use remote desktop, all you would need to do is create a local account on the dc for them and make sure that they know they have to change that option when they are logging into the system.
0
 
LVL 1

Expert Comment

by:cdnq8
ID: 18856262
I Agree with Eglone, just make a simple user having standard rights, make him a Remote desktop user, so that he can access the system or depends on you what rights and permission you want to grant him, but be specific to us that why you need him to access your Domain.

Taher
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18856587
That would work for a member server, but not for a DC. There are no local accounts on domain controllers, these are all removed when dcpromo is run.  (Go into compmgmt.msc on a DC if you don't believe me.  :-))

I think we need the OP to provide additional information before we can make an informed recommendation.
0
 

Author Comment

by:phcharland
ID: 18857367
we have server in a remote location that an outside source needs to be able to manage. They cannot have any access beyond that server and no other rights on the domain. But since its a DC I dont know how to do that...
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 250 total points
ID: 18857401
Put simply, you can't.  There's no such thing as a local group on a domain controller, the only accounts that you can create are domain accounts.  If you make someone a member of the Administrators group on 1 DC, they are a member of the administrators group on -every- DC.

This gets marginally better in Longhorn, but in 2000 & 2003 AD you can't give someone administrative rights to just one DC without giving them rights to every DC, as well as to your entire Active Directory.

0
 
LVL 3

Expert Comment

by:eglone
ID: 18858880
actually, simply put you can.  go into adu&c.  make a new user.  in their property page under the account tab, there is a button that says "logon to..." you can limit what computers they log on to there.  now as an admin, they would still have the ability to go in and change that themselves, but you would see that in event logs.  mvp needs a coffee break.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18858950
I disagree with your solution, as it's unenforceable (as you yourself mentioned) and still hands that user the keys to the kingdom by making them an Administrator (or <insert name of group> member) on all DCs.  As workarounds go, I would deem that one sub-optimal at best.

(And there's no call for rudeness, really.)
0
 
LVL 15

Expert Comment

by:czcdct
ID: 18859004
But eglone, your solution works for no longer than the 8 seconds it takes for the other guy to go and change his rights.
As for looking at the logs, you would have to monitor the logs using your solution and also if you did nothing in the first place.

Don't be rude to people, they are here of their own free will to bring you the benefit of their experience and on this one Laura is bang on the button.
0
 
LVL 3

Expert Comment

by:eglone
ID: 18859298
I apologize for the comment made towards Laura, long morning and uncalled for.  However, I stand by my solution.  If you're going to let a third party manage your servers, you should be checking your logs irregardless of what rights you give them.  You should be checking your security logs whether you have a third party or not, that's just a SOP in the companies that I have worked for.  Honestly unless the person working on your machine already knows about how to do this, it's not very common knowledge that you can do this.  Third party management for a server is a sticky situation no matter how you go about it, especially on a DC.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18859450
We'll have to agree to disagree, then.  I don't give third-party vendors admin rights to a DC, full stop, because there is no way to do so that can satisfy my security requirements.  Any workarounds like the one you describe are easily thwarted despite the best preventative measures one can take to the contrary. Auditin is reactive, not pro-active, and if someone has rights to a DC, they also have rights to muck with the audit logs to cover the trail of things they've done.

Ultimately I won't base a security decision on the premise of "Yeah, but nobody knows how to take advantage of that" because, while the third-party vendor may not know what an elevation of privilege attack is, the virus that they just downloaded onto their admin workstation (and thus onto my DC)...-does- know how to do that.

If you stand by your solution, that's your choice to make the recommendations that you see fit.  For myself and most of my peers in the AD consulting world, I wouldn't go that route for all the tea in Ceylon, China, and India combined.
0
 
LVL 3

Expert Comment

by:eglone
ID: 18859603
I wouldn't give a third party admin access to my DC either, but the person who posted this made it sound necessary.  And if you can't trust your own third party with rights, you need to learn how to bring it in house.  For all practical purposes, all your domain admins can do this and you still need to audit your logs.  Still yet, we'll have to agree to disagree.
0
 
LVL 1

Expert Comment

by:cdnq8
ID: 18868890
Hi i was taliking about a domain account and not a local user.
Taher
0

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now