Configure Different Administrator Access Level in Win2k3 Server

Posted on 2010-01-08
Last Modified: 2012-05-08
How can I go about pare down the domain administrator access in Win 2k3 server so that I can delegate certain administrative function to my IT staff to manage.
Question by:aneky
    LVL 11

    Expert Comment

    domain admins have same access as administrators.  You really should not pare this down.

    Better is to create a new group, and selectively add the privileges that you want the group to have.
    LVL 8

    Accepted Solution

    This can be done through Delegation of Permissions in AD.  The DoP Wizard doesn't offer much flexibility, but you can edit the DSACLs manually.

    Create a Group and make your IT Staff members.  Create an OU and move the objects that need to be managed into this OU (or sub-OUs).  Go to the Properties of the OU and then the Security tab.  (You need to turn on Advanced Features to see the Security tab.)  Click the Advanced button, click Add and select your group. Review the various properties on both the Objects tab and the Properties tab, they are very granular.  These lists change when the scope is changed (the "Apply To" drop-down box).  It sounds like you'd be interested in "This Object Only" for create/delete permissions of users/groups/computers, and the "Groups Only", "Users Only", and "Computers Only".  You may have to add the same group several times to get all the ACLs you need, as only one scope can be selected and added at a time.

    By removing your Staff from Domain Admins, you effectively cut off their admin access to all workstation and server computers.  You'll probably want to create a Startup Script that adds the group you made above to the local Administrators group on the workstations and/or servers these admins will be managing.

    You should also consider moving the default location of new Computer objects, if they'll need to manage those (

    Also, anyone who is currently in a Protected Group (Enterprise Admins, Schema Admins, Domain Admins, Account Operators, Sever Operators, Backup Operators, Print Operators) and is subsequently removed, should have their "AdminCount" attribute cleared (via adsiedit or vbscript).  When this attribute is set to '1', permissions from AD our not inherited by the user object, and are taken from the AdminSDHolder object instead.  This isn't critical, just good house keeping.

    LVL 2

    Expert Comment

    Crreate a new user and give this user appropariate rights, don't change rights of default admin.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Know what services you can and cannot, should and should not combine on your server.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now