• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 156
  • Last Modified:

What is "best practise" for transferring ownership of a member server to another organisation when the server has to stay in your network ?

Dear Xperts,

I have asked this question before but I just need to make absolutely sure that I am taking the "best route".

We have a couples of servers running apps.  Another company wants to take contractual ownership / support of these servers and I need to work out the best way of giving this organisation admin access to these servers.  The problem is that these servers have to stay on our network (i.e. our physical network) and they are both in OUR domain (forest) at the moment.

The options I was considering were as follows:

a) disjoin both member servers from our domain and put them into a workgroup + remove our local admin account and enable remote desktop access to the other company on both boxes (with a local admin account that they can use) - job done - we would lose access and they would gain it, right ?

b) keep both servers in our domain - but create a new OU in our AD and move both computer accounts into this OU.  Then delegate control of this OU (and the objects within it) to the other organisation.

Which option sounds best ?  If we go for B) then isn't there a risk that the other company would be able to access our domain ?  Which option is the "cleanest" and adheres to MS "best practise" ?

Thanks experts, as always :-)

  • 2
  • 2
4 Solutions
Hi richardstuartpowell,

Option A is the only way you can give the other company access without security issues to your own network. It will aslo allow that the clients inside your network won't be able to communicate with these servers.

richardstuartpowellAuthor Commented:
Hi JoWickerman

That sounds great - so option A is the best route.  One more thing however, you added "It will aslo allow that the clients inside your network won't be able to communicate with these servers." - is there a risk that the apps these servers run will stop working ?

I believe that one is running some kind of A/V update service.  This won't use domain account authentication though, will it ?

I was thinking of just suggesting option A and letting the other company work it out !

Well... Technically, av update should not be a problem. Other programs that need to autheticate might be an issue...

LOL! Yeah, if the want to maintain the servers, let them sort out if issues appear!

As JoWickerman states, option A is the safest as far as security goes - but it also means that your domain clients (computers) will not be able to access anything on these servers which I suspect is unacceptable. Can you not give this company (presumably a trusted partner) an AD account with which to control the servers, but nothing else in the domain? That is fairly standard practice in these type of scenarios.

Create an AD account that is locked so that it can only log on to these two servers. Ensure that it has no permissions on any other servers.
richardstuartpowellAuthor Commented:
Hi JaredJ1

This is a good point.  At the moment we are just examining all of the options.  Thanks to everyone who responded to my query - I am always impressed with the answers I receive on this website !

If no-one else wants to chip-in I will close this question and distribute the points ...

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now