I started reading on security in domain. As I understood, the domain administration can be restricted to chosen computers only. And the administration can be also done remotely (over internet). I could not understand: 1) how to indicate such computers? i.e. restrict administration to only chosen computers, i.e. such administrative-permitted computers may connect from anywhere 2) IS it possible to restrict permitted administration to physical locations, like server rooms. from only which computers are permitted to administer the domain? 3) How does AD identify such computers (and possibly locations) securely? 3a) Well, I also do not quite understand the concept of computer... which hardware does essentially identify a host as computer? or, as security-enabled (identifiable, protect-able) object...

1- The administration in the Microsoft Windows Server environements is with the use of Organizational Unit (OU). You can create them, move computer and user accounts to them, apply Goup Polies on them and delegate their administration. 2- It is not possible to restrict administration to physical location by the use of Organizational Units. You are able to apply rules which specify on which machines the delegated administrators will be able to open a session and them you will be able to control them and choose the machines from which they will be able to administer your environment. 3- AD identifies computers with the use of SIDs (Security Identifiers= Domain SID + RID) 4-This link will help you to understand the concept of computers: http://uk.encarta.msn.com/dictionary_1861771227/computer.html

4-This link will help you to understand the concept of computers: http://uk.encarta.msn.com/dictionary_1861771227/computer.html This will not. This definition suites to most electronic devices (for ex., amplifier or TVset)

3- AD identifies computers with the use of SIDs (Security Identifiers= Domain SID + RID) Mark Russinovich tells the opposite

3- I am sure that a computer is identified by its SID. This is what is mentioned in the Microsoft Official Courses. There an Active Directory server that hosts a RID master role. When a new computer is created, it will be identified by an SID when is a combinaison of the domain SID and a RID that was given by the RID master 4- This is another definition of computers: http://www.techterms.com/definition/computer

To restrict administration to chosen computers, you need to do: On DC or server: 1. Setup Firewall policy or IPSEC policy to allow only select computer or IP address. 2. Configure the following policy: [Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally] [Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Terminal Services] Add only select users. After these steps, no other user could access the DC or server. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

To restrict administration to chosen computers, you need to do: On DC or server: 1. Setup Firewall policy or IPSEC policy to allow only select computer or IP address. 2. Configure the following policy: [Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally] I asked about computers but not about users.... IP address can be assigned through DHCP, computers can be used as laptops from different places including remotely from outside of AD perimeter and, eventually, computers can be booted from CD (and, as I understood, SID is attributed during Windows installation)... So, essentially, I do not understand how computers are being identified (if by their SID then what is the sense in it)... and is it computers identified or specific Windows setup on specific hard disk (which again can be used from another computer) Though, I already closed my question (by marking it as answered) because I understood that MS itself, or their employees/representatives like Mark Russinovich, judging by his The Machine SID Duplication Myth , does not know the answer to this question

SID was for the Windows installation. You can install many Windows on the same hardware, machine, every Windows has its own SID. Thanks This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.