Solved

How to grant a user 'local' admin on a DC

Posted on 2008-10-08
7
540 Views
Last Modified: 2013-11-25
We have a small domain with 3 servers. Only 1 was a DC. I took the step of upgrading a 2nd to DC for obvious reasons. One of our users controls print queues and another administrates a website and IIS/SQL on the promoted DC and both were in the local admin group previously. They need to be admins on the server, but I don't want either to be a domain admin as I don't want prevent access to the other 2 servers.

I put together a GP that included the "Administrators" Security group for the 2nd DC, and added their user names to it. It didn't work, although I half didn't expect it to. I know this GP is correct, because I have other identical GPs for groups of PCs elsewhere in the domain.

Can anyone suggest a decent solution to the problem of giving a user account 'local' admin access on a DC?
0
Comment
Question by:AdoBeebo
7 Comments
 
LVL 8

Assisted Solution

by:mikainz
mikainz earned 100 total points
ID: 22667243
there are no local administrators on DCs, because a DC does not have a local SAM.
You need to use built in User Groups like printer operators and set permissions on the objects and or give those users special rights like log on locally through GPO for DCs.
hth
0
 
LVL 3

Author Comment

by:AdoBeebo
ID: 22667258
I've got a GPO already for this which isn't having the desired effect, although I've specified "Administrators" rather than "BUILTIN\Administrators". I'll give it a try now.
0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 200 total points
ID: 22667470
You can do a couple of things:

One is to grant them access as printer operators and grant them admin rights to the website folders, (usually found in C:\WWWroot) as mkainz was saying.

Below is a step-by-step guide to the delegation of control. It is done by a wizard and is pretty easy to set up.
http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml

You can grant admin rights to printers, (I don't know about web pages), password policies with delegation of control.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 22668314
It's worth noting that, strictly speaking, making someone a member of the Administrators group on a DC gives them full administrative rights to every DC in your domain, and full administrative rights to your Active Directory database.

Especially now that MS fully supports domain controllers in a virtualized environment, a far better choice would be to create a virtual host to run as a dedicated domain controller, and leave your non-DAs as local administrators on member servers only.
0
 
LVL 3

Author Comment

by:AdoBeebo
ID: 22670685
This is where I am up to. Both users are under the "BUILTIN\Administrators" group, and have verified that they are able to work as normal on the 2nd DC. On the 1st DC I have added their UNs to the "Deny logon through Terminal Services" in local secpol, tested it and they get the standard warning about being in Remote Desktop User group. So 75% done. They can still logon to the 1st DC locally, a privilege that I want to remove.
"Deny logon locally" has greyed out buttons in the machine's local secpol. Any idea, other than a GPO to accomplish the same and deny local logon?
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 200 total points
ID: 22670935
You can't deny logon locally to Administrators. This is by design to prevent you from shooting yourself in the foot. And since BUILTIN\Administrators are administrators on all DCs, you're not going to be able to prevent logon locally on one DC or another.
0
 
LVL 3

Author Closing Comment

by:AdoBeebo
ID: 31504146
OK, well the rack is locked, and it's only temporary until the website and print server function is transferred off the DC. Thanks for all the help.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now