Solved

How to make a user a local administrator on a domain controller

Posted on 2007-03-18
6
364 Views
Last Modified: 2010-04-18
I have a windows server 2003 domain.  I just setup a new user that needs to have administrator access only on the server itself (the local machine).  Since you cannot use Local Users and Groups on a domain controller, how can I accomplish this?
0
Comment
Question by:doulos777
6 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 18745544
your local admin group is now your administrators group in the builtin container.....you can add your user to that group but this is very dangerous.....
0
 
LVL 10

Expert Comment

by:Chris_Gralike
ID: 18745693
A domain controller doesnt have a active SAM database like any member server. Because of this you cant create a "local" user on a domain controller. I placed the dubblequotes on local because in fact the Active Directory is the local database on domain controllers.

Next to that, as far as i know there isnt a "local administrators" group on a domain controller. You either have domain administrator privs and or forest administrator groups. There are allot of additinal groups that help you tailor the right privs for that user. Just lookup the "Build in" OU in the users and computers snapin and read the comments on those groups.

You can also use the default domain controller security settings. To do this browse to:
>Start>Administrative Tools>Default Domain Controller Security Settings>
Security Settings>Local Policies>User Rights Assignments.

Add the user to the things you want him to do.

-Regards,
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 18745780
There is a SAM database on domain controllers but it contains precisely one account -- administrator.  This local administrator account can only be accessed in Directory Services Restore Mode or the Recovery Console.  Its password is set when the server is promoted to domain controller and it can be changed with NTDSUTIL (or with setpwd.exe in Windows 2000).  

That said you are probably better off doing what Chris_Gralike suggested and using one of the default groups based on what tasks the user needs to accomplish.  See here for more information:
http://technet2.microsoft.com/WindowsServer/en/library/f6e01e51-14ea-48f4-97fc-5288a9a4a9b11033.mspx
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18745790
delegation of control is also a very useful tool for AD related tasks
0
 
LVL 10

Expert Comment

by:Chris_Gralike
ID: 18745793
hehe, your right shift. ;-)

thought it to be a bit out of scope :-) but nice addition in any case

-Regards,
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18746882
doulos777,

Since you posted this question in the Windows Server 2003 Zone as well as the SBS Small Business Server Zone, can I assume that you are talking about an SBS 2003 here?  If so, it's important that you state that in your question because SBS's are managed differently than stand-alone servers.

On an SBS, to add an additional Administrator user, you just use the Administrator User Template when you run the Add-User wizard.  This will ensure that the new user has all appropriate permissions and rights.

Jeff
TechSoEasy
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question