Security Basics mailing list archives
RE: restricted management for some users.
From: "Sullivan, Glenn" <GSullivan () DavidClark com>
Date: Thu, 20 May 2004 13:20:08 -0400
Why not install the admin tools on his workstation, to eliminate the need for him to log on locally... Then make him a member of the Domain Account Operators group. As to the ERP, make a domain group called "ERP Admins". Make the "ERP Admins" group a member of the "Administrators" group on each of the 5 machines. Of course, assuming that the ERP machines are not DC's... if they are, there is no such thing as "Local Administrators" for those machines, and it is going to be far more difficult to do what you desire. Then, as your ERP admins (these 2 guys) come and go from the company, you can simply add their replacement's (or assistants or whatever) domain accounts to the domain "ERP Admins" groups and be done... Remember: AGLP A - "Accounts" get put into G - "Global Groups" which get put into L - "Local Groups" which should then be assigned P - "Permissions" (in this case, administrative access) HTH, Glenn Sullivan, MCSE+I MCDBA David Clark Company Inc. -----Original Message----- From: Bruyere, Michel [mailto:mbruyere () ezemcanada com] Sent: Thursday, May 20, 2004 9:51 AM To: security-basics () securityfocus com Subject: restricted management for some users. Hi, I've been asked to do 2 things and I wanted to know what you guys think would be the best way. I already have a way to achieve my goal but I'm looking for a better way to do that (if any exist) Here it goes 1- I need to setup a user (the technician) to access the properties of accounts in AD (to reset passwords and/or unlock them). He has to log on locally/interactively on one of the DC (the one with all the FMSO roles). BTW I had something strange when I've set the local policies on the DC to allow the user to logon locally. I had set al admins groups/accounts and this particular account. Few times after I did this, users began to call me telling that they had a message that they couldn't logon interactively. Is there a way to setup "local" policies on the DC to allow a user account to logon locally? 2- I have to give full control over 5 servers to 2 guys, the ERP dev team. They should have the right to install/uninstall anything on the servers. I though to give them an account which is local administrator on those servers. Thanks M.Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- restricted management for some users. Bruyere, Michel (May 20)
- Re: restricted management for some users. Ansgar -59cobalt- Wiechers (May 21)
- RE: restricted management for some users. Chris Goodwin (May 21)
- <Possible follow-ups>
- RE: restricted management for some users. Sullivan, Glenn (May 21)