Restricting access to remote sites.

icuadmin
icuadmin used Ask the Experts™
on
We have a site in China which is looked after by an external IT company which provides 'hands-on' support for us when remote access simply won't do.  This site is linked by AD (single Forrest) to our our sites in the UK and I was wondering what is the best was to esnure they can have access to the site in China; but not to the UK sites.  I don't want to restrict them so they can't do their jobs, but they should be able to be an Administrator for the site in China, but not 'meddle' outside of 'their' site.  Any ideas how to implement this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Are the Chinese machines is the same OU?

If not, and you have a OU for China and one for the UK then create a security group for remote access to the China OU by the Chinese security group.
Top Expert 2013

Commented:
So right now are there domain admins or people in the built in administrators group (on domain controllers) that are based out of china?   If that is the case then you really can't do much.

Have you thought about using a read only domain controller at the China site?  An RODC admin doesn't need to be a domain admin.

You can also use restricted groups to give them admin rights on the local PCs in China.

Thanks

Mike

Author

Commented:
Chinese machines ARE in the same OU.
The Chinese DC is in the same OU as all the other DC's.
The DC in China is based on Windows Server 2003, so we can't make it read only I'm afraid.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2013

Commented:
So there are Domain Admins in China?

Author

Commented:
They don't.  But we need to give them the right level of access so they can recover the server in the event of a disaster, but not enough access so they can start looking outside of China.
Top Expert 2013

Commented:
They would need rights to run dcpromo to get the DC back up.  There are articles around that talk about doing that delegation.  I won't post any of them because I haven't tested that scenario so I don't want to post without testing.

Thanks

Mike
Commented:
For promoting or restoring a DC, you need a domain admin & domain admin is everything in single forest/domain. One way to keep check is real time monitoring using SCOM or some other tool & enabling auditing on the DC. Person who wants to restore a DC or promote it requires nothing less than domain admin membership & by default all the domain user can read AD data as all the domain users are member of authenticated users group.


Author

Commented:
Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial