ln line with the administrative model proposed earlier, console-based administration on DCs will be restricted to the members of the Server Operators group for exceptional circumstances only, such as viewing logs (except security), network and disk configuration (without the capability to change any of these), and to restart a server. All other admin accounts will be prevented from logging onto domain controllers and any workstation that is not a member of the computers OU (Service Administrators, Computers) that holds admin workstations. No other group, including Domain Admins, will be able to log on to the DC.
Policy prevents built-in administrative groups from console login everywhere in the domain except in the Service Administrators OU.
Note DDNS, WINS, and DHCP will be administered, routinely, from secure administrative workstations.
Was this article helpful?