• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 409
  • Last Modified:

Provide a branch office administrator access to local DC without control over domain admin account

We have a branch office in another state with a local Windows 2008 R2 domain controller and need to provide a local "admin" administrative access to that server without limitations on installing software or drivers on that server ONLY.  We also do NOT want this user to be able to edit accounts in the other offices (we are going to create an OU for this location and delegate administrative permissions to this user for this OU) the ability to edit domain accounts elsewhere in the domain.  We also do NOT want this user to be able to change the main "administrator" password or the passwords for other admins.  Anyone know the secret sauce for this one?
0
nncs-mc
Asked:
nncs-mc
1 Solution
 
madhatter5501Commented:
make em a local admin and go through the delegation permission wizard for that OU
0
 
kevinhsiehCommented:
You can't limit administrative access to that DC ONLY, because EVERY DC shares the same local accounts database, which is actually part of AD. A local administrator on 1 DC is a local administrator on EVERY DC. I suggest you not make this person an administrator on the DCs; the main IT staff should retain that level of control.

You can let the person modify accounts for only a particular OU by using the AD delegation permission wizard. If you install the Remote Server Administration Tools on a workstation, your local person shouldn't even need to logon to the server.
0
 
Mike KlineCommented:
In addition to Kevin's answer you can also create a taskpad for them so all they see is their OU when you delegate rights   http://www.petri.co.il/create_taskpads_for_ad_operations.htm

You can also extend the delegation control wizard which will give you more granular choices for delegation   http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

Thanks

Mike
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
nncs-mcAuthor Commented:
Thanks for the suggestions but we need this user to be able to administer this server (change drivers, install applications) so local admin would be nice if it wweren't a DC.  After a little more research we stumbled upon Read Only Domain Controllers (RODC) which appears to be exactly what we are trying to accomplish.  Has anyone worked with these before?  It appears that you can delegate admin rights to a user strictly tfor the RODC only
0
 
kevinhsiehCommented:
I don't think that RODC is going to do what you want, because the user could still make changes to AD (which is what you want anyway), and the user can still RDP into another DC and add/delete software, load drivers, etc. on those other DCs.

If you have two servers (or 2 VMs), you can give that person admin access to the file server only, and then non-admin access to AD, but you can't say "I trust you and allow you to have full admin rights to this domaon controller over here, but you have no access to these other domain controlelrs over there". It just doesn't work that way. All or nothing.
0
 
nncs-mcAuthor Commented:
ok what we have ended up doing is using the RODCs and tested giving one user local administrative rights which is available on the RODCs.  They cannot make changes to AD accounts, passwords, etc perfect!
0
 
kevinhsiehCommented:
Did you test if they have local admin rights on your other DCs?
0
 
PberSolutions ArchitectCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now