Discussion:
AD Delegation Rights to patch DC's
(too old to reply)
Cosmo
2009-09-07 09:26:01 UTC
Permalink
Other then being a member of the 'Domain Admins' group, what AD Delegation
rights are required to install patches onto DC's?
Meinolf Weber [MVP-DS]
2009-09-07 11:23:01 UTC
Permalink
Hello Cosmo,

For full access you must be an administrator to install patches, so either
domain/enterprise or builtin/administrators member. You shouldn't delegate
that permission to users that are not knowing what to do on a domain controller.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by Cosmo
Other then being a member of the 'Domain Admins' group, what AD
Delegation rights are required to install patches onto DC's?
Marcin
2009-09-07 11:25:38 UTC
Permalink
Cosmo,
assuming you are referring to writable domain controllers (Admin role
separation is possible in case of RODC), patching would require membership
in domain local Administrators group (rather than Domain Admins)...

hth
Marcin
Post by Cosmo
Other then being a member of the 'Domain Admins' group, what AD Delegation
rights are required to install patches onto DC's?
Cosmo
2009-09-07 22:42:01 UTC
Permalink
Thank you both for your responses, but DC's don't have a 'Local Admins'
group, it's 'Domain Admins', which I want to avoid.
Cosmo
2009-09-07 22:55:01 UTC
Permalink
I correct myself, as I misunderstood you.

'Builtin\Administrators' group is the one I need.

Thanks :-)
Paul Bergson [MVP-DS]
2009-09-08 12:19:25 UTC
Permalink
In order to patch a DC you have to be an administrator. Since there are no
local admins you have to be a domain admin. So, be careful if you want
someone else to patch your dc's you are giving them full admin rights to
your domain.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by Cosmo
I correct myself, as I misunderstood you.
'Builtin\Administrators' group is the one I need.
Thanks :-)
Jorge de Almeida Pinto [MVP - DS]
2009-10-14 21:45:53 UTC
Permalink
domain admins (because you need to install software, which should be done by
full trusted and capable people)
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Post by Cosmo
Other then being a member of the 'Domain Admins' group, what AD Delegation
rights are required to install patches onto DC's?
__________ Information from ESET Smart Security, version of virus
signature database 4507 (20091014) __________
The message was checked by ESET Smart Security.
http://www.eset.com
__________ Information from ESET Smart Security, version of virus signature database 4507 (20091014) __________

The message was checked by ESET Smart Security.

http://www.eset.com
Continue reading on narkive:
Loading...