asked on 10/4/2011

Provide a branch office administrator access to local DC without control over domain admin account

We have a branch office in another state with a local Windows 2008 R2 domain controller and need to provide a local "admin" administrative access to that server without limitations on installing software or drivers on that server ONLY. We also do NOT want this user to be able to edit accounts in the other offices (we are going to create an OU for this location and delegate administrative permissions to this user for this OU) the ability to edit domain accounts elsewhere in the domain. We also do NOT want this user to be able to change the main "administrator" password or the passwords for other admins. Anyone know the secret sauce for this one?

Active Directory Windows Server 2008

Last Comment

Pber

12/18/2012

madhatter5501

10/4/2011

make em a local admin and go through the delegation permission wizard for that OU

kevinhsieh

10/5/2011

You can't limit administrative access to that DC ONLY, because EVERY DC shares the same local accounts database, which is actually part of AD. A local administrator on 1 DC is a local administrator on EVERY DC. I suggest you not make this person an administrator on the DCs; the main IT staff should retain that level of control.

You can let the person modify accounts for only a particular OU by using the AD delegation permission wizard. If you install the Remote Server Administration Tools on a workstation, your local person shouldn't even need to logon to the server.

Mike Kline

10/5/2011

In addition to Kevin's answer you can also create a taskpad for them so all they see is their OU when you delegate rights http://www.petri.co.il/create_taskpads_for_ad_operations.htm

You can also extend the delegation control wizard which will give you more granular choices for delegation http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

Thanks

Mike

nncs-mc

10/5/2011

ASKER

Thanks for the suggestions but we need this user to be able to administer this server (change drivers, install applications) so local admin would be nice if it wweren't a DC. After a little more research we stumbled upon Read Only Domain Controllers (RODC) which appears to be exactly what we are trying to accomplish. Has anyone worked with these before? It appears that you can delegate admin rights to a user strictly tfor the RODC only

kevinhsieh

10/5/2011

I don't think that RODC is going to do what you want, because the user could still make changes to AD (which is what you want anyway), and the user can still RDP into another DC and add/delete software, load drivers, etc. on those other DCs.

If you have two servers (or 2 VMs), you can give that person admin access to the file server only, and then non-admin access to AD, but you can't say "I trust you and allow you to have full admin rights to this domaon controller over here, but you have no access to these other domain controlelrs over there". It just doesn't work that way. All or nothing.

nncs-mc

10/7/2011

ASKER

ok what we have ended up doing is using the RODCs and tested giving one user local administrative rights which is available on the RODCs. They cannot make changes to AD accounts, passwords, etc perfect!

ASKER CERTIFIED SOLUTION

kevinhsieh

10/7/2011

THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

Pber

12/18/2012

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.