Link to home
Start Free TrialLog in
Avatar of nncs-mc
nncs-mcFlag for United States of America

asked on

Provide a branch office administrator access to local DC without control over domain admin account

We have a branch office in another state with a local Windows 2008 R2 domain controller and need to provide a local "admin" administrative access to that server without limitations on installing software or drivers on that server ONLY.  We also do NOT want this user to be able to edit accounts in the other offices (we are going to create an OU for this location and delegate administrative permissions to this user for this OU) the ability to edit domain accounts elsewhere in the domain.  We also do NOT want this user to be able to change the main "administrator" password or the passwords for other admins.  Anyone know the secret sauce for this one?
Avatar of madhatter5501
madhatter5501
Flag of United States of America image
make em a local admin and go through the delegation permission wizard for that OU
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
You can't limit administrative access to that DC ONLY, because EVERY DC shares the same local accounts database, which is actually part of AD. A local administrator on 1 DC is a local administrator on EVERY DC. I suggest you not make this person an administrator on the DCs; the main IT staff should retain that level of control.

You can let the person modify accounts for only a particular OU by using the AD delegation permission wizard. If you install the Remote Server Administration Tools on a workstation, your local person shouldn't even need to logon to the server.
Avatar of Mike Kline
Mike Kline
Flag of United States of America image
In addition to Kevin's answer you can also create a taskpad for them so all they see is their OU when you delegate rights   http://www.petri.co.il/create_taskpads_for_ad_operations.htm

You can also extend the delegation control wizard which will give you more granular choices for delegation   http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

Thanks

Mike
Avatar of nncs-mc
nncs-mc
Flag of United States of America image

ASKER

Thanks for the suggestions but we need this user to be able to administer this server (change drivers, install applications) so local admin would be nice if it wweren't a DC.  After a little more research we stumbled upon Read Only Domain Controllers (RODC) which appears to be exactly what we are trying to accomplish.  Has anyone worked with these before?  It appears that you can delegate admin rights to a user strictly tfor the RODC only
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
I don't think that RODC is going to do what you want, because the user could still make changes to AD (which is what you want anyway), and the user can still RDP into another DC and add/delete software, load drivers, etc. on those other DCs.

If you have two servers (or 2 VMs), you can give that person admin access to the file server only, and then non-admin access to AD, but you can't say "I trust you and allow you to have full admin rights to this domaon controller over here, but you have no access to these other domain controlelrs over there". It just doesn't work that way. All or nothing.
Avatar of nncs-mc
nncs-mc
Flag of United States of America image

ASKER

ok what we have ended up doing is using the RODCs and tested giving one user local administrative rights which is available on the RODCs.  They cannot make changes to AD accounts, passwords, etc perfect!
ASKER CERTIFIED SOLUTION
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pber
Pber
Flag of Canada image
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.