none
Windows 2003 DC account with administrative access but not Active directory Access

    Question

  • Hi

    A have a strange question to which i do not find any working answers.

    I have Windows 2003 server with installed and working Active Direcotory.
    I have some software which must be installed with administrative rights
    This software will be installed by some other administrator to which i don't trust because is not from my organization.This other administrator must have remote desktop connection to this server to manage this software and he wants administrative rights to computer.

    I there any way to grant administrative premissions to account but this account to not have access to modify my Active Directory?

    I have one forest with Windows 2008 server DC and Windows 2003 DC .I know that Windows 2008 server has function Read Only Domain Controller but i think that will not work with my Windows 2003 DC

    What i have tryed .

    I create user :Admin
    I create group :GAdmin (security global)

    Than i add Admin to group GAdmin and Administrators
    GAdmin is member only in Remote desktop Users group
    After i open Active Direcory ,navigate to mydomain.local >Security i add GAdmin group and deny every object in security .After that Admin user has no Access to domain controller any more.
    That i think for a little and deny every object exept Read permissions .After that my Admin accout has Administrative Right to install programs and modify Active Directory objects

    So that is not a working option for me because Admin account can modify (delete) objects

    I does not have any idea any more.I can't demote Windows 2003 DC and i can't upgrade it to Windows 2008
    Does anyone have solution to this problem ?
    Wednesday, August 20, 2008 8:10 PM

Answers

  •  

    Hi,

     

    <I there any way to grant administrative premissions to account but this account to not have access to modify my Active Directory?>

     

    Windows security model is built on the assumption administrators are trustworthy. Actually, they can do whatever they want. Although we can deny an administrator the right to access some files, he can always grant himself the permission back. So, in order to limit some specific users' rights, you can consider delegation.

     

    For example, in order to grand some specific users the permission on OU, you can refer to the following steps:

     

    1. The administrator has previously configured a new Organizational Unit (OU). The OU contains all of the directory objects over which the administrator will delegate control.

     

    2. The administrator starts the Delegation wizard by right-clicking the OU, and then clicking Delegate Control.

     

    3. The Delegation wizard title dialog box appears, providing some introductory information about the wizard's functionality. Click Next to proceed.

     

    4. The administrator chooses the folder to which delegation will be applied.

     

    5. The administrator next specifies to whom delegation is going to be granted in the Users or Groups dialog box.

     

    6. The administrator is given the option to select the tasks to delegate. These tasks can be selected from a pre-compiled list of commonly delegated tasks, or the administrator can choose to create a custom task to delegate.

    a.  If the administrator selects a common task, a summary screen is displayed in which the administrator can detail the changes to be made.

    b.  If the administrator chooses to create a custom task to delegate, two dialog box are displayed in which the administrator can customize the delegated task:

    1. Level of delegation. The administrator can choose to delegate to the entire folder, or to specific objects within the folder. 

    2. In the next dialog box, the administrator dictates the permissions the specified users will be able to exercise. 

     

    7. A confirmation dialog box appears, detailing all of the options selected in the wizard. Confirming the changes completes the wizard, and adds all appropriate access control entries to the target Active Directory container. 

     

    For more information about this topic in Windows Server 2003, visit the following Microsoft Web sites:

     

    Step-by-step guide to using the Delegation of Control wizard
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx)

    Best practices for delegating Active Directory administration: How delegation works in Active Directory
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid3.mspx (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid3.mspx)

    Best practices for delegating Active Directory administration: Case study: a delegation scenario
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdidcs.mspx (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdidcs.mspx)

    Hope this helps.

     

    Thursday, August 21, 2008 8:41 AM