Link to home
Start Free TrialLog in
Avatar of Mike Montgomery
Mike MontgomeryFlag for Canada

asked on

Delagating local admin access to a Windows 2003 R2 Standard Server with SP2 running as a DC


I have a challenge with controlling administrative access to a Windows 2003 R2 Standard server running SP2 and operating as a DC. My company has recently opened an office over seas and we have installed a local site server running AD, DNS, DHCP as well as providing local file and print services to the office.

Since we have no local IT staff there we have an agreement with a local IT support firm to provide on site IT support as needed. I need to be able to allow this local IT company to have local admin access to the Windows server to manage print services, modify shares and perform server repairs and diagnostics. I do not want them to have full access to AD nor do I want them to have the ability to remotely log on to any other server in our domain. If this was a member server it would be simple but as this is a domain controller I am not sure how or even if it is possible to restrict them to only have admin access on the one domain controller.

I do know I can use delegated control in AD to restrict their access to AD tasks but I see no way to avoid giving them membership to the domain adminstrators group to allow logon and admin rights to the local server. Since domain admin access would over ride any delagation I need to know if there is a way to restrict them to only having admin access on one domain controller and limited AD access.
Avatar of MAdS

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mike Montgomery


I was able to create a work around using AD delgation control, restricted (non domain admin) group access and the "logon to" restrictions on the user account. It is not perfect but does achieve the desired outcome.