AD Domain Administrator Priv/rights

TheMSsForum.com: The Microsoft Software Forum

Hello:

I need to know if there is a way to give admins the rights they need to
the domain/files and folders on DC's and servers without granting them GOD
rights? Is there a best practice out there or has anyone done it. Basically
we don't want to put any Admin into the Domain Admin Group, instead create a
group that gives them the folder/file, and disk rights they need to do the
job of a network administrator. Is there a case study or anything of that
nature that will help us define those rights and privs? Any help would be
appreciated, thanks.
Top

Re: AD Domain Administrator Priv/rights by Steven

Steven
Tue Sep 27 18:08:37 CDT 2005

If all you want to do is to manage access to files/folders then modify share
and ntfs permissions for the users that need access which could be regular
domain users assuming you are not talking about the administrative shares
such as C$. If you want the user to install applications on a domain
controller then they would need to be an administrator for the domain unless
the application is a .msi package that can be published via Group Policy
Software Installation. If you could be more specific on exactly what you
need these users to do someone on this newsgroup could probably be of
lp. --- Steve


"Marc Johnson" <Marc Johnson@discussions.microsoft.com> wrote in message
news:64B9FEBA-BF44-4A3B-99AC-B7811294CD3C@microsoft.com...
> Hello:
>
> I need to know if there is a way to give admins the rights they need
> to
> the domain/files and folders on DC's and servers without granting them GOD
> rights? Is there a best practice out there or has anyone done it.
> Basically
> we don't want to put any Admin into the Domain Admin Group, instead create
> a
> group that gives them the folder/file, and disk rights they need to do the
> job of a network administrator. Is there a case study or anything of that
> nature that will help us define those rights and privs? Any help would be
> appreciated, thanks.


Top

Re: AD Domain Administrator Priv/rights by MarcJohnson

MarcJohnson
Wed Sep 28 06:38:01 CDT 2005

Thank you Steve. Sounds like I need Sr. Mgt to claify their role.

Marc

"Steven L Umbach" wrote:

> If all you want to do is to manage access to files/folders then modify share
> and ntfs permissions for the users that need access which could be regular
> domain users assuming you are not talking about the administrative shares
> such as C$. If you want the user to install applications on a domain
> controller then they would need to be an administrator for the domain unless
> the application is a .msi package that can be published via Group Policy
> Software Installation. If you could be more specific on exactly what you
> need these users to do someone on this newsgroup could probably be of
> lp. --- Steve
>
>
> "Marc Johnson" <Marc Johnson@discussions.microsoft.com> wrote in message
> news:64B9FEBA-BF44-4A3B-99AC-B7811294CD3C@microsoft.com...
> > Hello:
> >
> > I need to know if there is a way to give admins the rights they need
> > to
> > the domain/files and folders on DC's and servers without granting them GOD
> > rights? Is there a best practice out there or has anyone done it.
> > Basically
> > we don't want to put any Admin into the Domain Admin Group, instead create
> > a
> > group that gives them the folder/file, and disk rights they need to do the
> > job of a network administrator. Is there a case study or anything of that
> > nature that will help us define those rights and privs? Any help would be
> > appreciated, thanks.
>
>
>
Top

Re: AD Domain Administrator Priv/rights by Roger

Roger
Fri Sep 30 08:42:21 CDT 2005

Marc,

As an added clarification, if it is only fille control, then one may also
want to examine where/how resources are being deployed, as those
could easily, and many would say should, be placed on a non-DC,
guarding the DCs from unneeded exposures (to skill levels that is).

--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Marc Johnson" <MarcJohnson@discussions.microsoft.com> wrote in message
news:2FB136F4-E416-4ED1-8735-56A82DCDA414@microsoft.com...
> Thank you Steve. Sounds like I need Sr. Mgt to claify their role.
>
> Marc
>
> "Steven L Umbach" wrote:
>
>> If all you want to do is to manage access to files/folders then modify
>> share
>> and ntfs permissions for the users that need access which could be
>> regular
>> domain users assuming you are not talking about the administrative shares
>> such as C$. If you want the user to install applications on a domain
>> controller then they would need to be an administrator for the domain
>> unless
>> the application is a .msi package that can be published via Group Policy
>> Software Installation. If you could be more specific on exactly what you
>> need these users to do someone on this newsgroup could probably be of
>> lp. --- Steve
>>
>>
>> "Marc Johnson" <Marc Johnson@discussions.microsoft.com> wrote in message
>> news:64B9FEBA-BF44-4A3B-99AC-B7811294CD3C@microsoft.com...
>> > Hello:
>> >
>> > I need to know if there is a way to give admins the rights they
>> > need
>> > to
>> > the domain/files and folders on DC's and servers without granting them
>> > GOD
>> > rights? Is there a best practice out there or has anyone done it.
>> > Basically
>> > we don't want to put any Admin into the Domain Admin Group, instead
>> > create
>> > a
>> > group that gives them the folder/file, and disk rights they need to do
>> > the
>> > job of a network administrator. Is there a case study or anything of
>> > that
>> > nature that will help us define those rights and privs? Any help would
>> > be
>> > appreciated, thanks.
>>
>>
>>


Top