< Day Day Up > |
Here's a hack that will help you secure any domain controllers you have running at a remote site . Active Directory has introduced many new levels of complexity to server and security management. For example, if you would like to grant a remote site administrator the rights to install software or services on a domain controller, that person would have to be a domain administrator. Granting that person domain administrator rights introduces the possibility of that user creating new accounts with administrative rights. Obviously, this is not an ideal situation. The following steps show how to grant a user the same level of rights as an administrator of a member server or a workstation on a domain controller, while preventing that user from having rights to Active Directory.
Figure 8-4. Denying Full Control permission for the DenyDCAdmins global groupNow, all users or groups that are members of the DCAdmins group have full administrative access to all domain controllers but do not have any access to Active Directory.
Overall, this is a great approach to limit security for remote administrators and operations teams that need to be able to make changes on domain controllers. I highly recommend trying this approach before blanketing your Active Directory environment with unnecessary domain administrators. Tim Mintner |
< Day Day Up > |