RE: restricted management for some users.

["Sullivan, Glenn" <GSullivan () DavidClark com>]

Why not install the admin tools on his workstation, to eliminate the need for him to log on locally...

Then make him a member of the Domain Account Operators group.

As to the ERP, make a domain group called "ERP Admins".  Make the "ERP Admins" group a member of the "Administrators" 
group on each of the 5 machines.

Of course, assuming that the ERP machines are not DC's... if they are, there is no such thing as "Local Administrators" 
for those machines, and it is going to be far more difficult to do what you desire.

Then, as your ERP admins (these 2 guys) come and go from the company, you can simply add their replacement's (or 
assistants or whatever) domain accounts to the domain "ERP Admins" groups and be done...

Remember: AGLP

A - "Accounts" get put into
G - "Global Groups" which get put into
L - "Local Groups" which should then be assigned
P - "Permissions" (in this case, administrative access)

HTH,

Glenn Sullivan, MCSE+I  MCDBA
David Clark Company Inc. 

-----Original Message-----
From: Bruyere, Michel [mailto:mbruyere () ezemcanada com]
Sent: Thursday, May 20, 2004 9:51 AM
To: security-basics () securityfocus com
Subject: restricted management for some users.


Hi, 
        I've been asked to do 2 things and I wanted to know what you
guys think would be the best way. I already have a way to achieve my
goal but I'm looking for a better way to do that (if any exist)

Here it goes

1- I need to setup a user (the technician) to access the properties of
accounts in AD (to reset passwords and/or unlock them). He has to log on
locally/interactively on one of the DC (the one with all the FMSO
roles).
BTW I had something strange when I've set the local policies on the DC
to allow the user to logon locally. I had set al admins groups/accounts
and this particular account. Few times after I did this, users began to
call me telling that they had a message that they couldn't logon
interactively. Is there a way to setup "local" policies on the DC to
allow a user account to logon locally? 


2- I have to give full control over 5 servers to 2 guys, the ERP dev
team. They should have the right to install/uninstall anything on the
servers. I though to give them an account which is local administrator
on those servers.



Thanks



M.Bruyere
Network/systems administrator
CompTIA A+, Network+
The quickest way to find something
is to start looking for something else.
:-)




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------