How to make a user a local administrator on a domain controller

I have a windows server 2003 domain.  I just setup a new user that needs to have administrator access only on the server itself (the local machine).  Since you cannot use Local Users and Groups on a domain controller, how can I accomplish this?
doulos777Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
your local admin group is now your administrators group in the builtin container.....you can add your user to that group but this is very dangerous.....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris GralikeSpecialistCommented:
A domain controller doesnt have a active SAM database like any member server. Because of this you cant create a "local" user on a domain controller. I placed the dubblequotes on local because in fact the Active Directory is the local database on domain controllers.

Next to that, as far as i know there isnt a "local administrators" group on a domain controller. You either have domain administrator privs and or forest administrator groups. There are allot of additinal groups that help you tailor the right privs for that user. Just lookup the "Build in" OU in the users and computers snapin and read the comments on those groups.

You can also use the default domain controller security settings. To do this browse to:
>Start>Administrative Tools>Default Domain Controller Security Settings>
Security Settings>Local Policies>User Rights Assignments.

Add the user to the things you want him to do.

-Regards,
0
Shift-3Commented:
There is a SAM database on domain controllers but it contains precisely one account -- administrator.  This local administrator account can only be accessed in Directory Services Restore Mode or the Recovery Console.  Its password is set when the server is promoted to domain controller and it can be changed with NTDSUTIL (or with setpwd.exe in Windows 2000).  

That said you are probably better off doing what Chris_Gralike suggested and using one of the default groups based on what tasks the user needs to accomplish.  See here for more information:
http://technet2.microsoft.com/WindowsServer/en/library/f6e01e51-14ea-48f4-97fc-5288a9a4a9b11033.mspx
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Jay_Jay70Commented:
delegation of control is also a very useful tool for AD related tasks
0
Chris GralikeSpecialistCommented:
hehe, your right shift. ;-)

thought it to be a bit out of scope :-) but nice addition in any case

-Regards,
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
doulos777,

Since you posted this question in the Windows Server 2003 Zone as well as the SBS Small Business Server Zone, can I assume that you are talking about an SBS 2003 here?  If so, it's important that you state that in your question because SBS's are managed differently than stand-alone servers.

On an SBS, to add an additional Administrator user, you just use the Administrator User Template when you run the Add-User wizard.  This will ensure that the new user has all appropriate permissions and rights.

Jeff
TechSoEasy
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.