Solved

How to grant a user 'local' admin on a DC

Posted on 2008-10-08
7
541 Views
Last Modified: 2013-11-25
We have a small domain with 3 servers. Only 1 was a DC. I took the step of upgrading a 2nd to DC for obvious reasons. One of our users controls print queues and another administrates a website and IIS/SQL on the promoted DC and both were in the local admin group previously. They need to be admins on the server, but I don't want either to be a domain admin as I don't want prevent access to the other 2 servers.

I put together a GP that included the "Administrators" Security group for the 2nd DC, and added their user names to it. It didn't work, although I half didn't expect it to. I know this GP is correct, because I have other identical GPs for groups of PCs elsewhere in the domain.

Can anyone suggest a decent solution to the problem of giving a user account 'local' admin access on a DC?
0
Comment
Question by:AdoBeebo
7 Comments
 
LVL 8

Assisted Solution

by:mikainz
mikainz earned 100 total points
ID: 22667243
there are no local administrators on DCs, because a DC does not have a local SAM.
You need to use built in User Groups like printer operators and set permissions on the objects and or give those users special rights like log on locally through GPO for DCs.
hth
0
 
LVL 3

Author Comment

by:AdoBeebo
ID: 22667258
I've got a GPO already for this which isn't having the desired effect, although I've specified "Administrators" rather than "BUILTIN\Administrators". I'll give it a try now.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 200 total points
ID: 22667470
You can do a couple of things:

One is to grant them access as printer operators and grant them admin rights to the website folders, (usually found in C:\WWWroot) as mkainz was saying.

Below is a step-by-step guide to the delegation of control. It is done by a wizard and is pretty easy to set up.
http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml

You can grant admin rights to printers, (I don't know about web pages), password policies with delegation of control.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22668314
It's worth noting that, strictly speaking, making someone a member of the Administrators group on a DC gives them full administrative rights to every DC in your domain, and full administrative rights to your Active Directory database.

Especially now that MS fully supports domain controllers in a virtualized environment, a far better choice would be to create a virtual host to run as a dedicated domain controller, and leave your non-DAs as local administrators on member servers only.
0
 
LVL 3

Author Comment

by:AdoBeebo
ID: 22670685
This is where I am up to. Both users are under the "BUILTIN\Administrators" group, and have verified that they are able to work as normal on the 2nd DC. On the 1st DC I have added their UNs to the "Deny logon through Terminal Services" in local secpol, tested it and they get the standard warning about being in Remote Desktop User group. So 75% done. They can still logon to the 1st DC locally, a privilege that I want to remove.
"Deny logon locally" has greyed out buttons in the machine's local secpol. Any idea, other than a GPO to accomplish the same and deny local logon?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 200 total points
ID: 22670935
You can't deny logon locally to Administrators. This is by design to prevent you from shooting yourself in the foot. And since BUILTIN\Administrators are administrators on all DCs, you're not going to be able to prevent logon locally on one DC or another.
0
 
LVL 3

Author Closing Comment

by:AdoBeebo
ID: 31504146
OK, well the rack is locked, and it's only temporary until the website and print server function is transferred off the DC. Thanks for all the help.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
GPO policy question 4 35
accidental deletion - ad recycle bin 3 21
set-aduser powershell command issue 2 30
How to restrict users sending out emails to all 1 22
This article runs through the process of deploying a single EXE application selectively to a group of user.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question