Announcement

Collapse
No announcement yet.

how to allow log on locally and install software

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • how to allow log on locally and install software

    Hi,

    So you cant log onto a domain controller as a local admin.

    I think you can make a group a member of local adminstrators via group policy and this will allow you to log on locally to a DC and install software - but i'm pretty sure it also gives you to access AD/DNS/DHCP/ETC.

    I want to give a group of users the ability to log on locally and then install software and access ADUC.

    I dont want them to have the ability to edit DNS or DHCP.


    Can anyone think of a clean way of allowing this that doesnt involve too much hacking?

    Thanks

    Simon

  • #2
    Re: how to allow log on locally and install software

    DCs do not have ANY local accounts and I would be very careful about letting anyone except domain admins install software on them. ADUC access can be given using delegation of control and installing ADUC on their local machine.

    If you really need to give normal users access to the DC, look into user rights
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: how to allow log on locally and install software

      Originally posted by Ossian View Post
      DCs do not have ANY local accounts and I would be very careful about letting anyone except domain admins install software on them. ADUC access can be given using delegation of control and installing ADUC on their local machine.

      If you really need to give normal users access to the DC, look into user rights

      Its not that i want to give normal users access to the DC - thats the last thing I want.

      I would prefer no administrators (of any level, low or high) be given access to the adminsitrator account and that all administrative tasks be done using "privileged" accounts, so that we can track usage of rights via auditing.

      I was hoping to be able to give one group the ability to log onto all servers and install/remove software - without having to use built in groups like administrators/domain admins and without giving them them full acess to the entire DC via the Administrator account.

      Comment


      • #4
        Re: how to allow log on locally and install software

        I guess what i'm saying is I wouldnt mind a junior-ish admin being able to log onto all our servers (including DC's) and install a piece of software but when he's on there i dont want him messing around in DNS or DHCP etc.

        I want to know who did what by using individual accounts rather than giving them admin password and I dont want them to be a member of domain admins group etc.

        Comment


        • #5
          Re: how to allow log on locally and install software

          OK, so look into user rights and grant only minimal ones to a group containing your "junior admins"
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: how to allow log on locally and install software

            you'd need to create a specific group within the domain, call it say JuniorAdmins
            then delegate it permissions to do things on the DC, including say View access foir dns, dhcp, AD, etc, as well as to install software
            then use GPO like you said, to apply permissions on the DC allowing this user gorup to install software.

            the benefit of this is your junior admins also get to learn about how the admin tools work, thus furthering their development
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment

            Working...
            X