Link to home
Start Free TrialLog in
Avatar of AdoBeebo
AdoBeebo

asked on

How to grant a user 'local' admin on a DC

We have a small domain with 3 servers. Only 1 was a DC. I took the step of upgrading a 2nd to DC for obvious reasons. One of our users controls print queues and another administrates a website and IIS/SQL on the promoted DC and both were in the local admin group previously. They need to be admins on the server, but I don't want either to be a domain admin as I don't want prevent access to the other 2 servers.

I put together a GP that included the "Administrators" Security group for the 2nd DC, and added their user names to it. It didn't work, although I half didn't expect it to. I know this GP is correct, because I have other identical GPs for groups of PCs elsewhere in the domain.

Can anyone suggest a decent solution to the problem of giving a user account 'local' admin access on a DC?
SOLUTION
Avatar of mikainz
mikainz
Flag of Austria image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of AdoBeebo
AdoBeebo

ASKER

I've got a GPO already for this which isn't having the desired effect, although I've specified "Administrators" rather than "BUILTIN\Administrators". I'll give it a try now.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It's worth noting that, strictly speaking, making someone a member of the Administrators group on a DC gives them full administrative rights to every DC in your domain, and full administrative rights to your Active Directory database.

Especially now that MS fully supports domain controllers in a virtualized environment, a far better choice would be to create a virtual host to run as a dedicated domain controller, and leave your non-DAs as local administrators on member servers only.
This is where I am up to. Both users are under the "BUILTIN\Administrators" group, and have verified that they are able to work as normal on the 2nd DC. On the 1st DC I have added their UNs to the "Deny logon through Terminal Services" in local secpol, tested it and they get the standard warning about being in Remote Desktop User group. So 75% done. They can still logon to the 1st DC locally, a privilege that I want to remove.
"Deny logon locally" has greyed out buttons in the machine's local secpol. Any idea, other than a GPO to accomplish the same and deny local logon?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK, well the rack is locked, and it's only temporary until the website and print server function is transferred off the DC. Thanks for all the help.