Solved

How to make a user a local administrator on a domain controller

Posted on 2007-03-18
6
367 Views
Last Modified: 2010-04-18
I have a windows server 2003 domain.  I just setup a new user that needs to have administrator access only on the server itself (the local machine).  Since you cannot use Local Users and Groups on a domain controller, how can I accomplish this?
0
Comment
Question by:doulos777
6 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 18745544
your local admin group is now your administrators group in the builtin container.....you can add your user to that group but this is very dangerous.....
0
 
LVL 10

Expert Comment

by:Chris_Gralike
ID: 18745693
A domain controller doesnt have a active SAM database like any member server. Because of this you cant create a "local" user on a domain controller. I placed the dubblequotes on local because in fact the Active Directory is the local database on domain controllers.

Next to that, as far as i know there isnt a "local administrators" group on a domain controller. You either have domain administrator privs and or forest administrator groups. There are allot of additinal groups that help you tailor the right privs for that user. Just lookup the "Build in" OU in the users and computers snapin and read the comments on those groups.

You can also use the default domain controller security settings. To do this browse to:
>Start>Administrative Tools>Default Domain Controller Security Settings>
Security Settings>Local Policies>User Rights Assignments.

Add the user to the things you want him to do.

-Regards,
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 18745780
There is a SAM database on domain controllers but it contains precisely one account -- administrator.  This local administrator account can only be accessed in Directory Services Restore Mode or the Recovery Console.  Its password is set when the server is promoted to domain controller and it can be changed with NTDSUTIL (or with setpwd.exe in Windows 2000).  

That said you are probably better off doing what Chris_Gralike suggested and using one of the default groups based on what tasks the user needs to accomplish.  See here for more information:
http://technet2.microsoft.com/WindowsServer/en/library/f6e01e51-14ea-48f4-97fc-5288a9a4a9b11033.mspx
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18745790
delegation of control is also a very useful tool for AD related tasks
0
 
LVL 10

Expert Comment

by:Chris_Gralike
ID: 18745793
hehe, your right shift. ;-)

thought it to be a bit out of scope :-) but nice addition in any case

-Regards,
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18746882
doulos777,

Since you posted this question in the Windows Server 2003 Zone as well as the SBS Small Business Server Zone, can I assume that you are talking about an SBS 2003 here?  If so, it's important that you state that in your question because SBS's are managed differently than stand-alone servers.

On an SBS, to add an additional Administrator user, you just use the Administrator User Template when you run the Add-User wizard.  This will ensure that the new user has all appropriate permissions and rights.

Jeff
TechSoEasy
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 VPN? 6 93
SBS 2003 RWW Login 3 42
Massive Event ID 10009 5 27
Move Roles from SBS Exchange 2010 to New Exchange Server 2016 4 35
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question