| Author |
Message |
Jim Watts
Guest
|
 Posted:
Thu Jan 13, 2005 4:39 pm Post subject:
IAS Radius Delegation |
|
|
Hi,
I've been asked to provide Radius via IAS on our Windows 2003 Domain
Controllers. I would like to delegate control of the IAS/Radius
configuration to other members of my team, without giving them Administrator
permissions on the Domain Controllers. Can anybody tell me if this is
possible, as i've not yet been able to work out where the IAS config data is
stored, or whether access to it can be delegated.
Many thanks
--
Jim Watts,
Technology Consultant
Information Systems Services
University of Southampton
--
--
Jim Watts,
Technology Consultant
Information Systems Services
University of Southampton |
|
| Back to top |
|
 |
Steve Riley [MSFT]
Guest
|
| Posted:
Fri Jan 14, 2005 1:04 am Post subject:
Re: IAS Radius Delegation |
|
|
There is no separate "IAS Administrator" role. Since IAS is a security feature,
and since you must be a domain administrator to register IAS in Active Directory,
only domain administrators can manage IAS.
Steve Riley
steriley@microsoft.com
| Quote: | Hi,
I've been asked to provide Radius via IAS on our Windows 2003 Domain
Controllers. I would like to delegate control of the IAS/Radius
configuration to other members of my team, without giving them
Administrator permissions on the Domain Controllers. Can anybody tell
me if this is possible, as i've not yet been able to work out where
the IAS config data is stored, or whether access to it can be
delegated.
Many thanks
|
|
|
| Back to top |
|
|
Wayne Tilton
Guest
|
| Posted:
Fri Jan 14, 2005 1:53 am Post subject:
Re: IAS Radius Delegation |
|
|
Steve Riley [MSFT] <steriley@microsoft.com> wrote in
news:49325632412110582677035@news.microsoft.com:
While what Steve says is correct, it is fairly easy to do what you want
by changing the permissions on the %SystemRoot%\system32\IAS directory
and the files contained in it (.MDB and .LDB's). You can also use a tool
like SetACL to grant your IAS admins the rights to control the IAS
service and TS config and GPO to allow them to log on to the DC's.
Registering IAS in AD just makes the IAS server a member of the "RAS and
IAS Servers" group so it can read the user attributes, so, security not
withstanding, you can delegate that right, too.
HTH,
Wayne Tilton
| Quote: | There is no separate "IAS Administrator" role. Since IAS is a security
feature, and since you must be a domain administrator to register IAS
in Active Directory, only domain administrators can manage IAS.
Steve Riley
steriley@microsoft.com
Hi,
I've been asked to provide Radius via IAS on our Windows 2003 Domain
Controllers. I would like to delegate control of the IAS/Radius
configuration to other members of my team, without giving them
Administrator permissions on the Domain Controllers. Can anybody tell
me if this is possible, as i've not yet been able to work out where
the IAS config data is stored, or whether access to it can be
delegated.
Many thanks
|
|
|
| Back to top |
|
|
Steve Riley [MSFT]
Guest
|
| Posted:
Fri Jan 14, 2005 5:31 am Post subject:
Re: IAS Radius Delegation |
|
|
That is an unsupported configuration and is not something we test.
Steve Riley
steriley@microsoft.com
| Quote: | Steve Riley [MSFT] <steriley@microsoft.com> wrote in
news:49325632412110582677035@news.microsoft.com:
While what Steve says is correct, it is fairly easy to do what you
want by changing the permissions on the %SystemRoot%\system32\IAS
directory and the files contained in it (.MDB and .LDB's). You can
also use a tool like SetACL to grant your IAS admins the rights to
control the IAS service and TS config and GPO to allow them to log on
to the DC's. Registering IAS in AD just makes the IAS server a member
of the "RAS and IAS Servers" group so it can read the user attributes,
so, security not withstanding, you can delegate that right, too.
HTH,
Wayne Tilton
There is no separate "IAS Administrator" role. Since IAS is a
security feature, and since you must be a domain administrator to
register IAS in Active Directory, only domain administrators can
manage IAS.
Steve Riley
steriley@microsoft.com
Hi,
I've been asked to provide Radius via IAS on our Windows 2003 Domain
Controllers. I would like to delegate control of the IAS/Radius
configuration to other members of my team, without giving them
Administrator permissions on the Domain Controllers. Can anybody
tell me if this is possible, as i've not yet been able to work out
where the IAS config data is stored, or whether access to it can be
delegated.
Many thanks
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in