AD Policy to restrict user with Admin rights to one server only

compcowboy used Ask the Experts™
I have an environment with mulitple servers and two domain controllers using AD. I have a vendor that needs admin access to one server only and would like to restrict them to this server only with admin rights. I'm having a serious brain stall on this one. Can someone guide me through this please?


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

You can do either 2 things.. create a gpo and set it to only be active on them by wmi or rights (only give that user rights to the policy)

or add the user to the normal groups and in the user properties allow logon only to a particular server ...
(less secure)

or ofcourse if it's not a domain controller just make a local user and leave it at that.

ofcourse you will always have the risk that the vendor creates a scheduled task that runs as a system account on the server which does have some rights on the rest of the servers.


open AD, select user, point to tab called Account. Open "LogOnTo" and choose "The following computers". Add computer(s) or/and server(s).

And (to give admin riht on one computer only):

add this account in local "administrators" group. If this DC is Active Directory, then open AD and add a user in local builtin "administrators" group.

You can do it via command prompt:
net localgroup Administrators MemberName /add
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Brian PiercePhotographer
Awarded 2007
Top Expert 2008

There is a problem with this. You can't use any local groups on a domain controller, as local groups do not exist on domain controllers !

You can create a user account and under the Account tab, click 'Log on To' and specify the machine that you want the user to be able to log on to.

The problem with this is that the user has access to Active Directory which is of course domain wide and not restructed to the server so rather than give the user full administrator rights you might watr to consider delegating control. If necessary you could move the second domain controller into an OU of its own and then delegate control to that OU.

i agree with KCTS that you can restrict the user using the logon to settings in the AD... but what happens is that the user will be not be abel to login into another other machine... which might create a added burden.. so may be you can create a two id for the user one with the normal user and the other with the logon to settings which you need him to do..

Hope ths helps


Thanks KCTS. I'll give that a try. Your correct. You can't use local groups on DC's which was my issue.

There is no need to service access at this point and this vendor only needs access to one system,

I'll take a look at your solution tomorrow and post the results.


DC doesn't have local groups because you have Active Directory on DC, and local groups are replaced by Active Directory. Use AD and BuiltIn groups to manage local groups on AD!

I have created a user named "TestUser" on my DC. If I try to logon with this user, there is a message that user can't login, and that's OK because I don't have admin rights. If I login with admin rights and type (in cmd):
net localgroup Administrators TestUser /add
guess what? I can login with TestUser. Then I went into AD and see BuiltIn groups "Administrators", and user TestUser was in this group.

Please try this because it works!

Cro0707 that's dangerous .. because you have just given the user administrors rights on the domain..

Please use the delegation of control to do this.

create a sub OU on the domain controllers ou and move the second dc to that ou. Use delegation of control to set the precise rights you want to give. This way you can specifically set the rights the user has and only to this one box.


I did try KCTS's suggestion and it does work. As noted, the one issue is this user does have admin rights and can make changes to his or her profile to remove this restriction though. At this point, I do not have a concern of this happening, but from a security point, it would be nice to tighten up that hole though. It would be nice once again, to be able to give this one user admin right on just this one system but lock them out from making AD changes. Then problem solved.

Site Reliability Engineer
Most Valuable Expert 2011
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:

          Accept KCTS's comment as answer.

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Experts Exchange Cleanup Volunteer

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial