How do you do....it? Thread, Provide Admin access to a DC. in Technical; I know by it's very nature a DC does not have a local admin as such. However I am starting ...
10th May 2012, 03:03 PM #1
Provide Admin access to a DC.
I know by it's very nature a DC does not have a local admin as such. However I am starting to get an increasing number of requests for DC administration.
The way our teams here are broken up, mean that we have a seperate Performance team, that would need to be able to run certain tasks on a DC, such as perfmon, eventvwr, read only to services. (This was seem easy to manage, but delegation to the MMC doesn't seem to work)
Another team look after the hardware and require the HP insight Manager to have admin rights to be able to install an agent and report on HW failures.
I'm really trying not to add more accounts to the Domain Admins group then really necessary, but it seems delegation on a DC doesn't really exist.
This is running Windows 2008 R2.....the old 2003 DC's seemed to be less secure, and we had ways round this.
Any thoughts? or am I resigned to having more DA's?
10th May 2012, 03:44 PM #2
Might I suggest including the agents, tools and logserver destinations they require as part of your standard build image / a deployable package?
I'm assuming that if you're big enough to have a dedicated hardware and performance group, you're big enough that it's all heavily automated (including scheduled perfmon slinging results to a central location).
Our rule of thumb is "if you're not capable of fixing it when broken and you're not on the on-call list, you don't get admin rights to anything that other people depend on".
10th May 2012, 04:03 PM #3
You are happily forgiven for thinking that - the argument is then they don't want logs all the time, only when issues are experienced. If I could just get SCOM installed it would relieve a lot of the headache - but the powers that be deemed this won't happen.
Originally Posted by pete
For the HP monitoring, I can understand it needs a service account to report back to the management server, I'd just really like to not make this a DA....
Your "Rule of thumb" is exactly how I believe any setup should be, unfortunately people seem to think they're missing out on something by not being a DA.......just last week I had to add 4 new people, for no other reason then they told their manager they wanted it!....then despite my misgivings I was told to make it happen.
I have now resigned myself to the fact that our DC's will be accessible by any number of people - so I have changed tact to see if I can try and delegate some access and hopefully talk management into reversing some of their decisions.
10th May 2012, 04:11 PM #4
Take a look at some of the groups in the Built-in container in the root of your AD. I think you should be able to achieve at least some of what you're after by adding the appropriate users to some of those groups (Event Log Readers and Performance Monitor Users in particular spring to mind).
10th May 2012, 04:34 PM #5
I'd go with AT's suggestion then, if they're being daft*.
*Your performance group doesn't appear to have any baseline data, if they're not checking on a regular schedule. I'm not going to comment on turning on hardware logging after something's probably broken because I'll end up saying terrible things about your hardware group.
And most agent/log chatter can be simply controlled either via the agent's controlling server or GPO (if you're using Server 2008 to ship logs). I'm assuming the agent can work in push and pull mode.
By bondbill2k2 in forum Windows 7
Last Post: 28th November 2011, 10:58 AM
By Firefox in forum Windows Server 2008 R2
Last Post: 24th November 2011, 12:06 PM
By reltihmd in forum Learning Network Manager
Last Post: 8th November 2010, 11:09 AM
By steele_uk in forum How do you do....it?
Last Post: 29th April 2010, 09:06 AM
By speckytecky in forum Hardware
Last Post: 2nd May 2007, 06:58 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)