?
Solved

Allow non-administrators to install updates on domain controller

Posted on 2007-07-26
8
Medium Priority
?
971 Views
Last Modified: 2008-05-31
I have about 330 remote Windows 2003 domain controllers. I would like my QA group to be able to install program updates without being a domain administrator.  Is this possible and, if so, can it be set via GPO.  Thanks for your help in advance.
0
Comment
Question by:jhwebb55
  • 4
  • 3
8 Comments
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 19576576
What kind of program updates? What are you running on your domain controllers that need to be updated aside from Active Directory? It's considered a best practice to have your DCs be nothing but DCs -- mostly for recovery issues. For example, if a DC crashes, all that's required to put a new DC online is to build a basic W2K3 machine and promote it. Replication will take place and the machine will be a new DC. But if you have all kinds of other apps installed, then you have much more work to do.

So depending on what kind of updates they need to install, and what rights they need to have, and whether or not they need to remotely or locally log into the machine, would depend on the correct answer.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 19576602
Nope.  Install updates on a DC == log on locally to a DC == local Administrator on a DC == effectively Domain Admin.  WSUS or a third-party patching solution (Shavlik or the like) is your best bet here.

(You may be saying to yourself "But I can make someone a Server Operator to let them log on locally to a DC."  And while this is true, allowing someone to log on locally to a DC makes them a de facto Domain Admin, regardless of what group membership they may possess.)
0
 
LVL 2

Author Comment

by:jhwebb55
ID: 19576958
Ok I gave you bad information. The QA group isnt trying to update any programs. There are some files that are stored on each DC that periodically need to be overwritten with new ones. They do not have that permission as normal users. I need them to be able to overwrite those files with the current ones without being domain admins. Possible?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 19576991
As in, I have a file shared as \\dc1\fileshare\file.txt and your QA group needs to be able to update file.txt with new data?  

Sure.  Grant them Modify permission to the share and Modify permission at the NTFS level, they can update/overwrite the file by mapping to the remote share without actually needing to log onto the console of the DC.
0
 
LVL 2

Author Comment

by:jhwebb55
ID: 19577163
I could do that but I have 330 machines. I am working on getting DFS Replication going but I can't implement that for another 3 weeks. Is there a way to add their group to that folder via GPO?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 19577249
Are you referring to setting security on the folder?  If so, folder security can be managed via GPO but not shares - creating and modifying shares can't be handled via GPO.  You can set security on a folder using the Computer Configuration-->Windows Settings--->Security Settings-->File System node.  On a GPO linked to the Domain Controllers OU, browse to this node, add the folder you want to secure and set the ACL and inheritance the way you want.

If you need to create shares, you'll need to do this using vbscript or the 'net share' command.
0
 
LVL 2

Author Comment

by:jhwebb55
ID: 19577507
I think I see what you mean. You are saying all of the DCs have to have the same folder shared (which they currently do) browse to it via the GP editor using that path in your last post and then set the perms as necessary. Correct?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 2000 total points
ID: 19577550
Correct.  If each DC has a share called \\DC<X>\share that maps to C:\share on each DC, then set the permissions on c:\share once at the GP level and have done.  Keep in mind that it's based on the physical path to the file and not the UNC path, so if \\DC<x>\share maps to C:\share on some DCs and D:\share on other DCs, you'll need to create two entries in the GPO.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question