Solved

How to grant a user 'local' admin on a DC

Posted on 2008-10-08
7
547 Views
Last Modified: 2013-11-25
We have a small domain with 3 servers. Only 1 was a DC. I took the step of upgrading a 2nd to DC for obvious reasons. One of our users controls print queues and another administrates a website and IIS/SQL on the promoted DC and both were in the local admin group previously. They need to be admins on the server, but I don't want either to be a domain admin as I don't want prevent access to the other 2 servers.

I put together a GP that included the "Administrators" Security group for the 2nd DC, and added their user names to it. It didn't work, although I half didn't expect it to. I know this GP is correct, because I have other identical GPs for groups of PCs elsewhere in the domain.

Can anyone suggest a decent solution to the problem of giving a user account 'local' admin access on a DC?
0
Comment
Question by:AdoBeebo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 8

Assisted Solution

by:mikainz
mikainz earned 100 total points
ID: 22667243
there are no local administrators on DCs, because a DC does not have a local SAM.
You need to use built in User Groups like printer operators and set permissions on the objects and or give those users special rights like log on locally through GPO for DCs.
hth
0
 
LVL 3

Author Comment

by:AdoBeebo
ID: 22667258
I've got a GPO already for this which isn't having the desired effect, although I've specified "Administrators" rather than "BUILTIN\Administrators". I'll give it a try now.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 200 total points
ID: 22667470
You can do a couple of things:

One is to grant them access as printer operators and grant them admin rights to the website folders, (usually found in C:\WWWroot) as mkainz was saying.

Below is a step-by-step guide to the delegation of control. It is done by a wizard and is pretty easy to set up.
http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml

You can grant admin rights to printers, (I don't know about web pages), password policies with delegation of control.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22668314
It's worth noting that, strictly speaking, making someone a member of the Administrators group on a DC gives them full administrative rights to every DC in your domain, and full administrative rights to your Active Directory database.

Especially now that MS fully supports domain controllers in a virtualized environment, a far better choice would be to create a virtual host to run as a dedicated domain controller, and leave your non-DAs as local administrators on member servers only.
0
 
LVL 3

Author Comment

by:AdoBeebo
ID: 22670685
This is where I am up to. Both users are under the "BUILTIN\Administrators" group, and have verified that they are able to work as normal on the 2nd DC. On the 1st DC I have added their UNs to the "Deny logon through Terminal Services" in local secpol, tested it and they get the standard warning about being in Remote Desktop User group. So 75% done. They can still logon to the 1st DC locally, a privilege that I want to remove.
"Deny logon locally" has greyed out buttons in the machine's local secpol. Any idea, other than a GPO to accomplish the same and deny local logon?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 200 total points
ID: 22670935
You can't deny logon locally to Administrators. This is by design to prevent you from shooting yourself in the foot. And since BUILTIN\Administrators are administrators on all DCs, you're not going to be able to prevent logon locally on one DC or another.
0
 
LVL 3

Author Closing Comment

by:AdoBeebo
ID: 31504146
OK, well the rack is locked, and it's only temporary until the website and print server function is transferred off the DC. Thanks for all the help.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to secure access to a folder on windows server 2008 R2 6 123
CTIOS error on Windows 10 3 64
Same  name for Internal and Public DNS 6 42
Active Directory permissions 5 45
Read about the ways of improving workplace communication.
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question