+ Post New Thread
Results 1 to 5 of 5
How do you do....it? Thread, Provide Admin access to a DC. in Technical; I know by it's very nature a DC does not have a local admin as such. However I am starting ...
  1. #1

    Join Date
    Dec 2009
    Posts
    250
    Thank Post
    5
    Thanked 28 Times in 26 Posts
    Rep Power
    14

    Provide Admin access to a DC.

    I know by it's very nature a DC does not have a local admin as such. However I am starting to get an increasing number of requests for DC administration.

    The way our teams here are broken up, mean that we have a seperate Performance team, that would need to be able to run certain tasks on a DC, such as perfmon, eventvwr, read only to services. (This was seem easy to manage, but delegation to the MMC doesn't seem to work)

    Another team look after the hardware and require the HP insight Manager to have admin rights to be able to install an agent and report on HW failures.

    I'm really trying not to add more accounts to the Domain Admins group then really necessary, but it seems delegation on a DC doesn't really exist.

    This is running Windows 2008 R2.....the old 2003 DC's seemed to be less secure, and we had ways round this.

    Any thoughts? or am I resigned to having more DA's?

  2. #2


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,618
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Might I suggest including the agents, tools and logserver destinations they require as part of your standard build image / a deployable package?

    I'm assuming that if you're big enough to have a dedicated hardware and performance group, you're big enough that it's all heavily automated (including scheduled perfmon slinging results to a central location).

    Our rule of thumb is "if you're not capable of fixing it when broken and you're not on the on-call list, you don't get admin rights to anything that other people depend on".

  3. #3

    Join Date
    Dec 2009
    Posts
    250
    Thank Post
    5
    Thanked 28 Times in 26 Posts
    Rep Power
    14
    Quote Originally Posted by pete View Post
    Might I suggest including the agents, tools and logserver destinations they require as part of your standard build image / a deployable package?

    I'm assuming that if you're big enough to have a dedicated hardware and performance group, you're big enough that it's all heavily automated (including scheduled perfmon slinging results to a central location).

    Our rule of thumb is "if you're not capable of fixing it when broken and you're not on the on-call list, you don't get admin rights to anything that other people depend on".
    You are happily forgiven for thinking that - the argument is then they don't want logs all the time, only when issues are experienced. If I could just get SCOM installed it would relieve a lot of the headache - but the powers that be deemed this won't happen.

    For the HP monitoring, I can understand it needs a service account to report back to the management server, I'd just really like to not make this a DA....

    Your "Rule of thumb" is exactly how I believe any setup should be, unfortunately people seem to think they're missing out on something by not being a DA.......just last week I had to add 4 new people, for no other reason then they told their manager they wanted it!....then despite my misgivings I was told to make it happen.

    I have now resigned myself to the fact that our DC's will be accessible by any number of people - so I have changed tact to see if I can try and delegate some access and hopefully talk management into reversing some of their decisions.

  4. #4

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,210 Times in 761 Posts
    Rep Power
    394
    Take a look at some of the groups in the Built-in container in the root of your AD. I think you should be able to achieve at least some of what you're after by adding the appropriate users to some of those groups (Event Log Readers and Performance Monitor Users in particular spring to mind).

  5. #5


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,618
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    I'd go with AT's suggestion then, if they're being daft*.

    *Your performance group doesn't appear to have any baseline data, if they're not checking on a regular schedule. I'm not going to comment on turning on hardware logging after something's probably broken because I'll end up saying terrible things about your hardware group.

    And most agent/log chatter can be simply controlled either via the agent's controlling server or GPO (if you're using Server 2008 to ship logs). I'm assuming the agent can work in push and pull mode.

SHARE:
+ Post New Thread

Similar Threads

  1. Loosing mapped drives from admin client to curric dc
    By bondbill2k2 in forum Windows 7
    Replies: 10
    Last Post: 28th November 2011, 10:58 AM
  2. NON Admin access to DC
    By Firefox in forum Windows Server 2008 R2
    Replies: 2
    Last Post: 24th November 2011, 12:06 PM
  3. Domain Admin Access to Teaching Staff
    By reltihmd in forum Learning Network Manager
    Replies: 34
    Last Post: 8th November 2010, 11:09 AM
  4. Provide Internet access to non-school laptops etc?
    By steele_uk in forum How do you do....it?
    Replies: 2
    Last Post: 29th April 2010, 09:06 AM
  5. Replies: 7
    Last Post: 2nd May 2007, 06:58 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •