Announcement

Collapse
No announcement yet.

Best way to allow contractor local access to DC?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Best way to allow contractor local access to DC?

    I have a DC in a remote office that is having hardware issues, I need to allow a contractor to be able to log on locally and review event logs etc. What is the best way for me to do this?

  • #2
    Re: Best way to allow contractor local access to DC?

    In windows 2003 DC environments you can't login locally.
    With Windows 2008 RODC it's possible to achieve this.

    However what you might do is add a user to the server operators.
    Although this might give them more permissions then you want I think this is the best way.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Best way to allow contractor local access to DC?

      Make sure auditing is on as well.
      You could always export the logs if that is all he wants to read?
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: Best way to allow contractor local access to DC?

        Thanks, exporting the logs is actually a good idea that I had not though about, the problem is that it is a hardware issue that they are going to have to resolve with the vendor. So I guess I will have to temporarily give them access and then take is away, so there is no way to only allow the account to log on to the one dc and not everywhere else?

        Comment


        • #5
          Re: Best way to allow contractor local access to DC?

          You can easily restrict which users can logon to a machine, and it's even easier to restrict which machines a user can logon to. Google maybe? http://www.google.co.uk/search?q=win...+logon+machine
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: Best way to allow contractor local access to DC?

            We shepherd our hardware contractors. When stuff needs doing on the keyboard, authenticated to our domain, I do it. When it's their diagnostic software running and they don't need to authenticate, I let them do it. Anything involving physical work they do it.

            We never under any circumstances let external contractors log into our systems.


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: Best way to allow contractor local access to DC?

              It is good practice IMO to create an account specifically for contractors and disable when not in use, give the account just the appropriate rights it needs to do it's job. This should be accompained with a disclaimer they need to sign. Also if you wanted to go the extra length, you could monitor the whole session with http://www.observeit-sys.com/overview.asp.
              It all depends on your Org needs though.

              Ta
              Caesar's cipher - 3

              ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

              SFX JNRS FC U6 MNGR

              Comment


              • #8
                Re: Best way to allow contractor local access to DC?

                Originally posted by L4ndy View Post
                It is good practice IMO to create an account specifically for contractors and disable when not in use, give the account just the appropriate rights it needs to do it's job. This should be accompained with a disclaimer they need to sign. Also if you wanted to go the extra length, you could monitor the whole session with http://www.observeit-sys.com/overview.asp.
                It all depends on your Org needs though.

                Ta
                and if someone needs to log on to one of your domain controllers? Immediately they have to be Domain Admin unless you do a lot of customising and so on.

                I prefer our approach.


                Tom
                For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                Anything you say will be misquoted and used against you

                Comment


                • #9
                  Re: Best way to allow contractor local access to DC?

                  Originally posted by Stonelaughter View Post
                  and if someone needs to log on to one of your domain controllers? Immediately they have to be Domain Admin unless you do a lot of customising and so on.
                  It can be easily done via group policy either by editing an existing policy or creating a new one as follows:
                  Computer Config - Security setting - Local Policies - User rights - and Allow logon locally
                  where you add the username.

                  Plus other settings depending on what they need to do.
                  Caesar's cipher - 3

                  ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

                  SFX JNRS FC U6 MNGR

                  Comment

                  Working...
                  X