Delagating local admin access to a Windows 2003 R2 Standard Server with SP2 running as a DC

Mike Montgomery
Mike Montgomery used Ask the Experts™

I have a challenge with controlling administrative access to a Windows 2003 R2 Standard server running SP2 and operating as a DC. My company has recently opened an office over seas and we have installed a local site server running AD, DNS, DHCP as well as providing local file and print services to the office.

Since we have no local IT staff there we have an agreement with a local IT support firm to provide on site IT support as needed. I need to be able to allow this local IT company to have local admin access to the Windows server to manage print services, modify shares and perform server repairs and diagnostics. I do not want them to have full access to AD nor do I want them to have the ability to remotely log on to any other server in our domain. If this was a member server it would be simple but as this is a domain controller I am not sure how or even if it is possible to restrict them to only have admin access on the one domain controller.

I do know I can use delegated control in AD to restrict their access to AD tasks but I see no way to avoid giving them membership to the domain adminstrators group to allow logon and admin rights to the local server. Since domain admin access would over ride any delagation I need to know if there is a way to restrict them to only having admin access on one domain controller and limited AD access.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Unfortunatelly there is no way to restrict administration rights to single DC with 2003. This is only possible with 2008 and then specifically with RODCs (read only domain controllers).

Best practice for that is to have 2 servers, a DC exclusivelly for domain services, and a member server for local services (file, print, etc.).
Mike MontgomeryInfrastructure Manager


I was able to create a work around using AD delgation control, restricted (non domain admin) group access and the "logon to" restrictions on the user account. It is not perfect but does achieve the desired outcome.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial