How to make a user a local administrator on a domain controller

I have a windows server 2003 domain.  I just setup a new user that needs to have administrator access only on the server itself (the local machine).  Since you cannot use Local Users and Groups on a domain controller, how can I accomplish this?
Who is Participating?
Jay_Jay70Connect With a Mentor Commented:
your local admin group is now your administrators group in the builtin can add your user to that group but this is very dangerous.....
Chris GralikeSpecialistCommented:
A domain controller doesnt have a active SAM database like any member server. Because of this you cant create a "local" user on a domain controller. I placed the dubblequotes on local because in fact the Active Directory is the local database on domain controllers.

Next to that, as far as i know there isnt a "local administrators" group on a domain controller. You either have domain administrator privs and or forest administrator groups. There are allot of additinal groups that help you tailor the right privs for that user. Just lookup the "Build in" OU in the users and computers snapin and read the comments on those groups.

You can also use the default domain controller security settings. To do this browse to:
>Start>Administrative Tools>Default Domain Controller Security Settings>
Security Settings>Local Policies>User Rights Assignments.

Add the user to the things you want him to do.

There is a SAM database on domain controllers but it contains precisely one account -- administrator.  This local administrator account can only be accessed in Directory Services Restore Mode or the Recovery Console.  Its password is set when the server is promoted to domain controller and it can be changed with NTDSUTIL (or with setpwd.exe in Windows 2000).  

That said you are probably better off doing what Chris_Gralike suggested and using one of the default groups based on what tasks the user needs to accomplish.  See here for more information:
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

delegation of control is also a very useful tool for AD related tasks
Chris GralikeSpecialistCommented:
hehe, your right shift. ;-)

thought it to be a bit out of scope :-) but nice addition in any case

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:

Since you posted this question in the Windows Server 2003 Zone as well as the SBS Small Business Server Zone, can I assume that you are talking about an SBS 2003 here?  If so, it's important that you state that in your question because SBS's are managed differently than stand-alone servers.

On an SBS, to add an additional Administrator user, you just use the Administrator User Template when you run the Add-User wizard.  This will ensure that the new user has all appropriate permissions and rights.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.