The reason for the question is that allowing local access to a DC substantially impacts your security. It is extremely bad practice and poor form to give non-domain admins interactive access to domain controllers. The recommendation from everyone, including MS is to not do it. Why? Because if they so choose, the person you give the access to will most likely have the ability to get administrative level access and can hopscotch that into complete forest admin access - usually with no knowledge of the DA's and EA's.
Most people tend to do it when they don't know how to do things in a better more secure way. When we ask why, we are trying to understand the context to better provide solutions. I.E. Lots of people ask for lots of things and most of the time they don't know what they are asking for else they generally don't need to ask. Not saying you fit this category but before we give someone a loaded gun, we like to know that they intend to point at a rat in the dumpster versus their own head or foot. My general answer to someone who wants to give someone else interactive domain controller access is to give them domain admin rights, then you aren't fooling yourself into thinking you have a secure solution. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Tuesday, September 14, 2004 9:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Logging on to a Domain Controller Is it really important why ? I just want to know how it might be done. I am weird like that. Thanks for any other tips anyone might have. -----Original Message----- From: ASB [mailto:[EMAIL PROTECTED] Sent: Montag, 13. September 2004 21:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Logging on to a Domain Controller ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Because? -ASB ----- Original Message ----- From: Abbiss, Mark <[EMAIL PROTECTED]> Date: Mon, 13 Sep 2004 14:32:47 +0200 Subject: [ActiveDir] Logging on to a Domain Controller To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> I am going round in circles and am now completely confused ! I would like to give a group of our 2nd level administrators the ability to log on to all Domain Controllers. I have applied a group policy to the "Domain Controllers " OU which sets the "Computer configuration -> windows settings -> security settings -> local policies -> user rights assignment " to give this group "Log on locally" rights. I have also ensured that the group policy is applied to all authorised users. I have no problem logging on as I am an Enterprise Admin, however, the other admins are denied the ability to log on. Therefore, I modified the local DC security settings to give the same group the "Log on locally" right. Still they cannot log on. Please, what could I be missing ? Do I need to set access rights anywhere else ? Can I do anything to troubleshoot what rights this group is getting ? Many thanks for any help. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
