Great news Guido, and an answer to a post someone made from a month ago. Thanks.
| "GRILLENMEIER,GUIDO (HP-Germany,ex1)"
<[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/26/2003 03:22 PM
|
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] Restart/Start Services Right |
Oh yes, I've set this up for many customers. There are no drawbacks by placing the DCs in OUs underneath the Domain Controller OU. You should definitely stick to the rule, not to change any setting in the Sub-OU GPO, that you are also setting in the Default Domain Controllers GPO.
There used to be a supportability issue from Microsoft with this approach, but they're currently changing their mind as it's the only way to achieve specific administrative goals in an AD environment. E.g. we're also using the Sub-OU approach to grant local admins the permissions/user right to shut down "their" DC (and no other DC). This is important in the event of NIC failures or whatever, where the central admins can't reach the machine... And they have physical access to the box anyways, which is much more of a security hole, if you so want.
I'm still waiting for an official statement from MS on the supportability, but we've been using this solution very successfully ever since the introduction of AD...
/Guido
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 26. März 2003 15:36
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Restart/Start Services Right
Have you done this in practice Guido? Are there any drawbacks to separating DC's into OU's under the domian controller container?
| "GRILLENMEIER,GUIDO
(HP-Germany,ex1)" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 03/26/2003 02:46 AM
| To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> cc: Subject: RE: [ActiveDir] Restart/Start Services Right |
Using subinacl is not the best approach to manage the service permissions on
a DC; I'd only use it on a standalone system or on Win2k members in an NT4
domain - in AD GPOs are the preferred way and the "Security Settings\System
Service" get you where you want to be.
But yes, neither the Default Domain Policy nor the Default Domain Controller
Policy meet the goal to grant specific permissions on single DCs. The way
around this is simply to add sub-OUs UNDERNEATH the Domain Controllers OU
(e.g. one for each office hosting a DC) and to place the DCs in the
appropriate OU. You can now add additional GPOs for DCs in a specific office
(like granting permissions on services) while still being covered by the
general Default Domain and Default Domain Controllers Policies.
/Guido
-----Original Message-----
From: Free, Bob [mailto:[EMAIL PROTECTED]
Sent: Mittwoch, 26. März 2003 00:12
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Restart/Start Services Right
>I think u can do it Domain Security Policy \Security Settings \ System
service
Doesn't meet his requirement, Default Domain Policy is common to all DC's in
the DC OU.
"specific office based administrators to restart/start services on specific
domain
controllers."
Conceivably it could be done on individual DC's with subinacl but I have
never tried it.
SUBINACL /SERVICE \\MachineName\ServiceName
/GRANT=[DomainName\]UserName[=Access]
The values that 'Access' can take are:
F : Full Control
R : Generic Read
W : Generic Write
X : Generic eXecute
L : Read controL
Q : Query Service Configuration
S : Query Service Status
E : Enumerate Dependent Services
C : Service Change Configuration
T : Start Service
O : Stop Service
P : Pause/Continue Service
I : Interrogate Service
U : Service User-Defined Control Commands
-----Original Message-----
From: Milind Patil [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 25, 2003 4:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Restart/Start Services Right
I think u can do it Domain Security Policy \Security Settings \ System
services
regs
Milind
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 25, 2003 2:56 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Restart/Start Services Right
Good Morning/Afternoon/Evening All,
I have many DCs in many locations. I basically want to allow specific
office based administrators to restart/start services on specific domain
controllers.
How would I go about this? Is it possible?
Thanks and Best Regards,
Rob
Robert Rutherford
********************************************************************
This E-mail and any files transmitted with it are in
commercial confidence and intended solely for the use of
the individual or entity to whom they are addressed.
If you have received this E-mail in error please notify the
Administrator by E-mail ([EMAIL PROTECTED]).
Any views or opinions expressed are solely those of the
author and do not necessarily represent those of
DEK International., or its affiliates.
********************************************************************
This footnote signifies that this message has been
checked for viruses by MailswpUK1
********************************************************************
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
**************************Disclaimer************************************
Information contained in this E-MAIL being proprietary to Wipro Limited is
'privileged' and 'confidential' and intended for use only by the individual
or entity to which it is addressed. You are notified that any use, copying
or dissemination of the information contained in the E-MAIL in any manner
whatsoever is strictly prohibited.
***************************************************************************
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
