Solved

How to grant a user 'local' admin on a DC

Posted on 2008-10-08
7
545 Views
Last Modified: 2013-11-25
We have a small domain with 3 servers. Only 1 was a DC. I took the step of upgrading a 2nd to DC for obvious reasons. One of our users controls print queues and another administrates a website and IIS/SQL on the promoted DC and both were in the local admin group previously. They need to be admins on the server, but I don't want either to be a domain admin as I don't want prevent access to the other 2 servers.

I put together a GP that included the "Administrators" Security group for the 2nd DC, and added their user names to it. It didn't work, although I half didn't expect it to. I know this GP is correct, because I have other identical GPs for groups of PCs elsewhere in the domain.

Can anyone suggest a decent solution to the problem of giving a user account 'local' admin access on a DC?
0
Comment
Question by:AdoBeebo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 8

Assisted Solution

by:mikainz
mikainz earned 100 total points
ID: 22667243
there are no local administrators on DCs, because a DC does not have a local SAM.
You need to use built in User Groups like printer operators and set permissions on the objects and or give those users special rights like log on locally through GPO for DCs.
hth
0
 
LVL 3

Author Comment

by:AdoBeebo
ID: 22667258
I've got a GPO already for this which isn't having the desired effect, although I've specified "Administrators" rather than "BUILTIN\Administrators". I'll give it a try now.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 200 total points
ID: 22667470
You can do a couple of things:

One is to grant them access as printer operators and grant them admin rights to the website folders, (usually found in C:\WWWroot) as mkainz was saying.

Below is a step-by-step guide to the delegation of control. It is done by a wizard and is pretty easy to set up.
http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml

You can grant admin rights to printers, (I don't know about web pages), password policies with delegation of control.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22668314
It's worth noting that, strictly speaking, making someone a member of the Administrators group on a DC gives them full administrative rights to every DC in your domain, and full administrative rights to your Active Directory database.

Especially now that MS fully supports domain controllers in a virtualized environment, a far better choice would be to create a virtual host to run as a dedicated domain controller, and leave your non-DAs as local administrators on member servers only.
0
 
LVL 3

Author Comment

by:AdoBeebo
ID: 22670685
This is where I am up to. Both users are under the "BUILTIN\Administrators" group, and have verified that they are able to work as normal on the 2nd DC. On the 1st DC I have added their UNs to the "Deny logon through Terminal Services" in local secpol, tested it and they get the standard warning about being in Remote Desktop User group. So 75% done. They can still logon to the 1st DC locally, a privilege that I want to remove.
"Deny logon locally" has greyed out buttons in the machine's local secpol. Any idea, other than a GPO to accomplish the same and deny local logon?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 200 total points
ID: 22670935
You can't deny logon locally to Administrators. This is by design to prevent you from shooting yourself in the foot. And since BUILTIN\Administrators are administrators on all DCs, you're not going to be able to prevent logon locally on one DC or another.
0
 
LVL 3

Author Closing Comment

by:AdoBeebo
ID: 31504146
OK, well the rack is locked, and it's only temporary until the website and print server function is transferred off the DC. Thanks for all the help.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question