Secure Domain Contollers at Branch Offices

Discussion in 'Active Directory' started by Bob Smith, May 12, 2008.

  1. Bob Smith

    Bob Smith Guest

    We need to reduce the number of users in the Domain Admins group. We are
    running Windows 2003 and are not looking to move to the next release for a
    while. We have multi-function domain controllers at a number of branch
    offices. Administrators have been placed in the Domain Admins group to
    administer these servers.

    How can we remove admins from the Domain Admins group but still allow them
    to perform daily operations tasks on these servers (restart services, setup
    printers, logon locally, manage file security... etc). Has anyone come up
    with a good security model for this without compromising security too much.

    Thanks
     
    Bob Smith, May 12, 2008
    #1
    1. Advertisements

  2. Bob Smith

    Al Mulnick Guest

    Yes, but I think the answer really depends on many more factors than you
    mentioned.
    For example, what exactly is deployed on these domain controllers? Why are
    they domain controllers? Are they locked rooms? Do these admins have
    physical access to the domain controller machines? Why are the local site
    administrators restarting services(this may fit with question 1)? What does
    security mean to you? What does compromising "too much" mean in that
    context?



    There are more, but that's the base set of questions I think. Answers to
    that should help guide the remainder of questions and help you get to a more
    secure stance.

    Al
     
    Al Mulnick, May 13, 2008
    #2
    1. Advertisements

  3. Paul Bergson [MVP-DS], May 13, 2008
    #3
  4. Jorge de Almeida Pinto [MVP - DS], May 20, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.