Allow non-administrators to install updates on domain controller

I have about 330 remote Windows 2003 domain controllers. I would like my QA group to be able to install program updates without being a domain administrator.  Is this possible and, if so, can it be set via GPO.  Thanks for your help in advance.
LVL 2
jhwebb55Asked:
Who is Participating?
 
LauraEHunterMVPCommented:
Correct.  If each DC has a share called \\DC<X>\share that maps to C:\share on each DC, then set the permissions on c:\share once at the GP level and have done.  Keep in mind that it's based on the physical path to the file and not the UNC path, so if \\DC<x>\share maps to C:\share on some DCs and D:\share on other DCs, you'll need to create two entries in the GPO.
0
 
dhoffman_98Commented:
What kind of program updates? What are you running on your domain controllers that need to be updated aside from Active Directory? It's considered a best practice to have your DCs be nothing but DCs -- mostly for recovery issues. For example, if a DC crashes, all that's required to put a new DC online is to build a basic W2K3 machine and promote it. Replication will take place and the machine will be a new DC. But if you have all kinds of other apps installed, then you have much more work to do.

So depending on what kind of updates they need to install, and what rights they need to have, and whether or not they need to remotely or locally log into the machine, would depend on the correct answer.
0
 
LauraEHunterMVPCommented:
Nope.  Install updates on a DC == log on locally to a DC == local Administrator on a DC == effectively Domain Admin.  WSUS or a third-party patching solution (Shavlik or the like) is your best bet here.

(You may be saying to yourself "But I can make someone a Server Operator to let them log on locally to a DC."  And while this is true, allowing someone to log on locally to a DC makes them a de facto Domain Admin, regardless of what group membership they may possess.)
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
jhwebb55Author Commented:
Ok I gave you bad information. The QA group isnt trying to update any programs. There are some files that are stored on each DC that periodically need to be overwritten with new ones. They do not have that permission as normal users. I need them to be able to overwrite those files with the current ones without being domain admins. Possible?
0
 
LauraEHunterMVPCommented:
As in, I have a file shared as \\dc1\fileshare\file.txt and your QA group needs to be able to update file.txt with new data?  

Sure.  Grant them Modify permission to the share and Modify permission at the NTFS level, they can update/overwrite the file by mapping to the remote share without actually needing to log onto the console of the DC.
0
 
jhwebb55Author Commented:
I could do that but I have 330 machines. I am working on getting DFS Replication going but I can't implement that for another 3 weeks. Is there a way to add their group to that folder via GPO?
0
 
LauraEHunterMVPCommented:
Are you referring to setting security on the folder?  If so, folder security can be managed via GPO but not shares - creating and modifying shares can't be handled via GPO.  You can set security on a folder using the Computer Configuration-->Windows Settings--->Security Settings-->File System node.  On a GPO linked to the Domain Controllers OU, browse to this node, add the folder you want to secure and set the ACL and inheritance the way you want.

If you need to create shares, you'll need to do this using vbscript or the 'net share' command.
0
 
jhwebb55Author Commented:
I think I see what you mean. You are saying all of the DCs have to have the same folder shared (which they currently do) browse to it via the GP editor using that path in your last post and then set the perms as necessary. Correct?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.