[THIN] Re: OT: Domain Controller Security...
- From: "Paul DeHaan" <wppad@xxxxxxxxx>
- To: <lynch00@xxxxxxx>, <thin@xxxxxxxxxxxxx>
- Date: Fri, 21 May 2004 14:19:12 -0400
This won't help you much but...I attempted the same thing for a while. =
Each remote location had a DC that was a file/print server, but we only =
wanted the tech to have rights to that DC and not the other domain/enterpri=
se DC's. Don't recall if I got the sharing working, but I reset most of =
the reg permissions to add the local admins for that Site OU. Problem =
was, to manage DHCP and other services you have to change lot of system32 =
and other location permissions... it's a never ending battle for every =
service or application. I was never able to give them the ability to =
install service packs without being server operators or admins. Even =
broke down and called MS and they promptly told me that it is not designed =
to work like this. I pushed hard and got some MS engineers but they =
concluded the same.
I ended up buying some cheap 1.2 Ghz compaq servers (~$800 ea) to be DC's =
that would just sit and never be touched by the local guys. Then demoted =
the other servers and made the local guys admins on those servers. It has =
worked flawlessly for 8 or so months, with much less headache. It is also =
more secure and stable keeping everyone off of those DC boxes.
Major down side is the 800 a pop and the extra space of the servers (and =
time of course, but it sounds like you are spending plenty of that now). =
<grin> =20
Regards,
Paul
>>> lynch00@xxxxxxx 05/21/04 11:27AM >>>
=20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm wondering if anyone has accomplished the following:
Provided different security policies to multiple DC's within the same
domain, but different OU's for field techs to manage resources on
just that DC without giving Server Operators rights.
I have almost all of the requirements resolved, except the ability to
create shares. I have modified the security on the
HKLM\System\CurrentControlSet\Services\LanManserver and
HKLM\System\ControlSet001\Services\LanManserver with no success.=20
Every document I have read about where the shares definitions are
stored are located in these two reg keys.
I know the simple way would be to deploy another server to that
location and give them local Administrator rights. But, management
doesn't want to do this.
Thanks for any input,
Chris Lynch
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
Comment: Public PGP Key for Chris Lynch
iQA/AwUBQK4f9m9fg+xq5T3MEQIMnwCeK1qMYtHfgwMH+zmOamGhhVikXsEAoLFr
TNXQ2RU/04xvFO5Z961RXk7N
=3D/k+u
-----END PGP SIGNATURE-----
********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba=20
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm=20
***********************************************************
For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Tarantella Secure Global Desktop
Tarantella Secure Global Desktop Terminal Server Edition
Free Terminal Service Edition software with 2 years maintenance.
http://www.tarantella.com/ttba
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
