Avatar of Mike Montgomery
Mike Montgomery
Flag for Canada asked on

Delagating local admin access to a Windows 2003 R2 Standard Server with SP2 running as a DC


I have a challenge with controlling administrative access to a Windows 2003 R2 Standard server running SP2 and operating as a DC. My company has recently opened an office over seas and we have installed a local site server running AD, DNS, DHCP as well as providing local file and print services to the office.

Since we have no local IT staff there we have an agreement with a local IT support firm to provide on site IT support as needed. I need to be able to allow this local IT company to have local admin access to the Windows server to manage print services, modify shares and perform server repairs and diagnostics. I do not want them to have full access to AD nor do I want them to have the ability to remotely log on to any other server in our domain. If this was a member server it would be simple but as this is a domain controller I am not sure how or even if it is possible to restrict them to only have admin access on the one domain controller.

I do know I can use delegated control in AD to restrict their access to AD tasks but I see no way to avoid giving them membership to the domain adminstrators group to allow logon and admin rights to the local server. Since domain admin access would over ride any delagation I need to know if there is a way to restrict them to only having admin access on one domain controller and limited AD access.
Windows Server 2003Active Directory

Avatar of undefined
Last Comment
Mike Montgomery

8/22/2022 - Mon

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Mike Montgomery

I was able to create a work around using AD delgation control, restricted (non domain admin) group access and the "logon to" restrictions on the user account. It is not perfect but does achieve the desired outcome.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy