Provide a branch office administrator access to local DC without control over domain admin account

We have a branch office in another state with a local Windows 2008 R2 domain controller and need to provide a local "admin" administrative access to that server without limitations on installing software or drivers on that server ONLY.  We also do NOT want this user to be able to edit accounts in the other offices (we are going to create an OU for this location and delegate administrative permissions to this user for this OU) the ability to edit domain accounts elsewhere in the domain.  We also do NOT want this user to be able to change the main "administrator" password or the passwords for other admins.  Anyone know the secret sauce for this one?
LVL 1
nncs-mcAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

madhatter5501Commented:
make em a local admin and go through the delegation permission wizard for that OU
0
kevinhsiehCommented:
You can't limit administrative access to that DC ONLY, because EVERY DC shares the same local accounts database, which is actually part of AD. A local administrator on 1 DC is a local administrator on EVERY DC. I suggest you not make this person an administrator on the DCs; the main IT staff should retain that level of control.

You can let the person modify accounts for only a particular OU by using the AD delegation permission wizard. If you install the Remote Server Administration Tools on a workstation, your local person shouldn't even need to logon to the server.
0
Mike KlineCommented:
In addition to Kevin's answer you can also create a taskpad for them so all they see is their OU when you delegate rights   http://www.petri.co.il/create_taskpads_for_ad_operations.htm

You can also extend the delegation control wizard which will give you more granular choices for delegation   http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

Thanks

Mike
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

nncs-mcAuthor Commented:
Thanks for the suggestions but we need this user to be able to administer this server (change drivers, install applications) so local admin would be nice if it wweren't a DC.  After a little more research we stumbled upon Read Only Domain Controllers (RODC) which appears to be exactly what we are trying to accomplish.  Has anyone worked with these before?  It appears that you can delegate admin rights to a user strictly tfor the RODC only
0
kevinhsiehCommented:
I don't think that RODC is going to do what you want, because the user could still make changes to AD (which is what you want anyway), and the user can still RDP into another DC and add/delete software, load drivers, etc. on those other DCs.

If you have two servers (or 2 VMs), you can give that person admin access to the file server only, and then non-admin access to AD, but you can't say "I trust you and allow you to have full admin rights to this domaon controller over here, but you have no access to these other domain controlelrs over there". It just doesn't work that way. All or nothing.
0
nncs-mcAuthor Commented:
ok what we have ended up doing is using the RODCs and tested giving one user local administrative rights which is available on the RODCs.  They cannot make changes to AD accounts, passwords, etc perfect!
0
kevinhsiehCommented:
Did you test if they have local admin rights on your other DCs?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PberSolutions ArchitectCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.