Domain admin rights for 3rd party support

EvilGrin

EvilGrin

EvilGrin

Associate
Joined
12 Oct 2004
Posts
1,432
Location
Aberdeen, Scotland
Hi all, wanted to get some thoughts from you on what permissions I should configure for a 3rd party IT support company for a remote office.

I'm placing a new remote DC out in a branch office of ours who have their own 3rd party IT support. Network/Server design etc. will still be managed by myself, but I will need to give this 3rd party company access to certain functions on the server in order for them to perform their function. I've never had to deal with the complexities of splitting up permissions for other admins before as I work in a very small team with equal access, so I'd really like some advice on how to approach this.

We are a mostly server 2003/2008 domain, the server that will be supported is basically just a remote DC/GC, DNS, DHCP, file and print server. The 3rd party will be responsible for monthly physical site checks which includes server and desktop hardware and ensuring smooth running of backup tapes etc. They'll also be required to join computers to domain and troubleshoot desktop user issues (when the issues are local).

Any advice appreciated as always chaps.
 
Thanks, we've already got a contract in place with a decent company though, pretty happy with them, but I still want to lock down and control their access.

I've been playing around with this for a few days now and still having some difficulty, I'm either assigning too much or too little access.

Basically I want them to be able to have essentially local admin access, the main problem there is that this server is a domain controller so setting that up isn't possible and I really want to avoid having to set every little permission individually. They primarily need to be able to maintain server hardware, check server backups and perform restores etc., maintain and manage files and folders as an admin (although changing domain security/permissions etc. should be prohibited), install/manage windows and hardware firemware updates, restart standard services and reboot the server when needed.

For example, I want them to be able to open up services.msc and restart/start/stop services etc., to do this it looks like permission has to be set for each individual service through a GPO. What a ballache.

Any bright ideas guys?
 
Last edited:
Thanks for the reply, yeah, I definitely want to avoid giving them domain admin rights, which is why I'm going through this bother.

However, I definitely need to give them a level of access to login to this domain controller, we have contracted them to perform:
  • Hardware maintenance
  • Administer and maintain all backups on the server hence they will need full read/write access to files/folders on the server
  • Manage the print server role
  • Restart services etc. as well as be able to reboot/shutdown the server
  • Join computers to the domain and have all necessary rights for desktop support

So far I've added them to the backup operators built-in role, allowed them to rights to log in to the server over terminal services, and added the option for joining computers to the domain under delegate services.

I'm really not sure how to achieve the rest of what I need though...
 
Last edited:
Ugh, thanks for telling me what I didn't want to hear guys! ;) Thanks though.

The thought of separating the DC had crossed my mind too, but really as this has just been put into production, it'll be too much effort (and weekend work) to change it now, so I think I'll just have to suck eggs and give them some elevated admin rights. I'll just put this down to experience for the next time as this is going to become the template for a few of our other remote offices.

I've added them to the administrators built-in role, and I'm going to see how they get on with that. At least this way it stops them from logging into any of our other global servers, although they could just give themselves the domain admin permission, but I'll just have to be blunt with them and give a level of trust. That and turn on detailed logging and watch them like a hawk for a while... :) We're a paranoid lot us IT guys, eh?
 
You must log in or register to reply here.
Back
Top Bottom