Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Restricting access to remote sites.

Posted on 2011-09-02
8
Medium Priority
?
171 Views
Last Modified: 2012-08-14
We have a site in China which is looked after by an external IT company which provides 'hands-on' support for us when remote access simply won't do.  This site is linked by AD (single Forrest) to our our sites in the UK and I was wondering what is the best was to esnure they can have access to the site in China; but not to the UK sites.  I don't want to restrict them so they can't do their jobs, but they should be able to be an Administrator for the site in China, but not 'meddle' outside of 'their' site.  Any ideas how to implement this?
0
Comment
Question by:icuadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 14

Expert Comment

by:athomsfere
ID: 36474059
Are the Chinese machines is the same OU?

If not, and you have a OU for China and one for the UK then create a security group for remote access to the China OU by the Chinese security group.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36474064
So right now are there domain admins or people in the built in administrators group (on domain controllers) that are based out of china?   If that is the case then you really can't do much.

Have you thought about using a read only domain controller at the China site?  An RODC admin doesn't need to be a domain admin.

You can also use restricted groups to give them admin rights on the local PCs in China.

Thanks

Mike
0
 
LVL 1

Author Comment

by:icuadmin
ID: 36474085
Chinese machines ARE in the same OU.
The Chinese DC is in the same OU as all the other DC's.
The DC in China is based on Windows Server 2003, so we can't make it read only I'm afraid.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 36474124
So there are Domain Admins in China?
0
 
LVL 1

Author Comment

by:icuadmin
ID: 36474138
They don't.  But we need to give them the right level of access so they can recover the server in the event of a disaster, but not enough access so they can start looking outside of China.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36474334
They would need rights to run dcpromo to get the DC back up.  There are articles around that talk about doing that delegation.  I won't post any of them because I haven't tested that scenario so I don't want to post without testing.

Thanks

Mike
0
 
LVL 24

Accepted Solution

by:
Awinish earned 2000 total points
ID: 36480889
For promoting or restoring a DC, you need a domain admin & domain admin is everything in single forest/domain. One way to keep check is real time monitoring using SCOM or some other tool & enabling auditing on the DC. Person who wants to restore a DC or promote it requires nothing less than domain admin membership & by default all the domain user can read AD data as all the domain users are member of authenticated users group.


0
 
LVL 1

Author Closing Comment

by:icuadmin
ID: 36521478
Thanks.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question