There is none. Don't let people log onto DCs unless you
don't care if they are in a position to take over your forest.
I.E. Only domain admins should be allowed to log onto DCs.
You
can delegate off services via GPO or subinacl and then the delegated person can
remotely manipulate them.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Tuesday, November 16, 2004 5:35 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Group / Permission Anybody know what group I need to assign a user so they can log on locally to a single Domain Controller and start / stop services on the machine without being able to modify any part of active directory?
Thanks, -- Matt Brown [ SELECT * FROM users WHERE clue > 0 ] Information Technology System Specialist Eastern Washington University
|
- [ActiveDir] Group / Permission Matt Brown
- joe