Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to grant a user 'local' admin on a DC

Posted on 2008-10-08
7
Medium Priority
?
560 Views
Last Modified: 2013-11-25
We have a small domain with 3 servers. Only 1 was a DC. I took the step of upgrading a 2nd to DC for obvious reasons. One of our users controls print queues and another administrates a website and IIS/SQL on the promoted DC and both were in the local admin group previously. They need to be admins on the server, but I don't want either to be a domain admin as I don't want prevent access to the other 2 servers.

I put together a GP that included the "Administrators" Security group for the 2nd DC, and added their user names to it. It didn't work, although I half didn't expect it to. I know this GP is correct, because I have other identical GPs for groups of PCs elsewhere in the domain.

Can anyone suggest a decent solution to the problem of giving a user account 'local' admin access on a DC?
0
Comment
Question by:AdoBeebo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 8

Assisted Solution

by:mikainz
mikainz earned 400 total points
ID: 22667243
there are no local administrators on DCs, because a DC does not have a local SAM.
You need to use built in User Groups like printer operators and set permissions on the objects and or give those users special rights like log on locally through GPO for DCs.
hth
0
 
LVL 3

Author Comment

by:AdoBeebo
ID: 22667258
I've got a GPO already for this which isn't having the desired effect, although I've specified "Administrators" rather than "BUILTIN\Administrators". I'll give it a try now.
0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 800 total points
ID: 22667470
You can do a couple of things:

One is to grant them access as printer operators and grant them admin rights to the website folders, (usually found in C:\WWWroot) as mkainz was saying.

Below is a step-by-step guide to the delegation of control. It is done by a wizard and is pretty easy to set up.
http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml

You can grant admin rights to printers, (I don't know about web pages), password policies with delegation of control.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22668314
It's worth noting that, strictly speaking, making someone a member of the Administrators group on a DC gives them full administrative rights to every DC in your domain, and full administrative rights to your Active Directory database.

Especially now that MS fully supports domain controllers in a virtualized environment, a far better choice would be to create a virtual host to run as a dedicated domain controller, and leave your non-DAs as local administrators on member servers only.
0
 
LVL 3

Author Comment

by:AdoBeebo
ID: 22670685
This is where I am up to. Both users are under the "BUILTIN\Administrators" group, and have verified that they are able to work as normal on the 2nd DC. On the 1st DC I have added their UNs to the "Deny logon through Terminal Services" in local secpol, tested it and they get the standard warning about being in Remote Desktop User group. So 75% done. They can still logon to the 1st DC locally, a privilege that I want to remove.
"Deny logon locally" has greyed out buttons in the machine's local secpol. Any idea, other than a GPO to accomplish the same and deny local logon?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 800 total points
ID: 22670935
You can't deny logon locally to Administrators. This is by design to prevent you from shooting yourself in the foot. And since BUILTIN\Administrators are administrators on all DCs, you're not going to be able to prevent logon locally on one DC or another.
0
 
LVL 3

Author Closing Comment

by:AdoBeebo
ID: 31504146
OK, well the rack is locked, and it's only temporary until the website and print server function is transferred off the DC. Thanks for all the help.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question