Solved

How to make a user a local administrator on a domain controller

Posted on 2007-03-18
6
371 Views
Last Modified: 2010-04-18
I have a windows server 2003 domain.  I just setup a new user that needs to have administrator access only on the server itself (the local machine).  Since you cannot use Local Users and Groups on a domain controller, how can I accomplish this?
0
Comment
Question by:doulos777
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 18745544
your local admin group is now your administrators group in the builtin container.....you can add your user to that group but this is very dangerous.....
0
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 18745693
A domain controller doesnt have a active SAM database like any member server. Because of this you cant create a "local" user on a domain controller. I placed the dubblequotes on local because in fact the Active Directory is the local database on domain controllers.

Next to that, as far as i know there isnt a "local administrators" group on a domain controller. You either have domain administrator privs and or forest administrator groups. There are allot of additinal groups that help you tailor the right privs for that user. Just lookup the "Build in" OU in the users and computers snapin and read the comments on those groups.

You can also use the default domain controller security settings. To do this browse to:
>Start>Administrative Tools>Default Domain Controller Security Settings>
Security Settings>Local Policies>User Rights Assignments.

Add the user to the things you want him to do.

-Regards,
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 18745780
There is a SAM database on domain controllers but it contains precisely one account -- administrator.  This local administrator account can only be accessed in Directory Services Restore Mode or the Recovery Console.  Its password is set when the server is promoted to domain controller and it can be changed with NTDSUTIL (or with setpwd.exe in Windows 2000).  

That said you are probably better off doing what Chris_Gralike suggested and using one of the default groups based on what tasks the user needs to accomplish.  See here for more information:
http://technet2.microsoft.com/WindowsServer/en/library/f6e01e51-14ea-48f4-97fc-5288a9a4a9b11033.mspx
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 18745790
delegation of control is also a very useful tool for AD related tasks
0
 
LVL 11

Expert Comment

by:Chris Gralike
ID: 18745793
hehe, your right shift. ;-)

thought it to be a bit out of scope :-) but nice addition in any case

-Regards,
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18746882
doulos777,

Since you posted this question in the Windows Server 2003 Zone as well as the SBS Small Business Server Zone, can I assume that you are talking about an SBS 2003 here?  If so, it's important that you state that in your question because SBS's are managed differently than stand-alone servers.

On an SBS, to add an additional Administrator user, you just use the Administrator User Template when you run the Add-User wizard.  This will ensure that the new user has all appropriate permissions and rights.

Jeff
TechSoEasy
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question