[Last Call] Learn how to a build a cloud-first strategyRegister Now


Assign Administrator Permission for a Group on 1 DC Only out of 3

Posted on 2012-09-15
Medium Priority
Last Modified: 2012-09-15

I have 2 Windows 2008 R2 DC Servers in one site in one location, which is headquarters, then another DC in another site. All on the same domain joined by a site-to-site VPN link.

I want to enable a group I have created in AD containing 2 users to have Administrative power over their DC, without them being able to mess with the other two.

Is this possible and how?
Question by:zarok
  • 4
  • 2
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38401524
too bad each site doesn't have it's own subdomain i.e.
ny.company.com, ak.company.com, eu.company.com then its's simple domain admins.. otherwise you seem to be  left with delegation

Author Comment

ID: 38401528
Yeh I considered doing 2 subs when i set this all up! But every damn article these days on multiple domains under forests advises against it!

Prob is I'm pretty much finished and this goes into production next week, with the off site server being shipped to them... Kinda an after-thought, hell don't want them accessing the whole domain!! haha

Author Comment

ID: 38401530
I've delegated admin in Sites and Services for the group. But I'm guessing that only allows them to control Site objects under their site?

I'm sure I need to also delegate in AD somewhere?
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 400 total points
ID: 38401614
Yes create an OU for each group of users and then follow these steps

Author Comment

ID: 38401647
Yeh that isn't quite the same though. That would be travelling down the path of actually 'building' and admin account for that DC. Although entirely possible, would not involve just those steps. That only gives delegation over the object in AD? So they can change 'it'

Hmm, If i have enough time tomorrow, I might configure it all, then I'll post the steps on here, as there is no information on the internet how to do it and MS certaintly dosnt support it lol
LVL 58

Accepted Solution

tigermatt earned 1600 total points
ID: 38402441
Bear in mind that true 'per machine' administrative access is not possible with Domain Controllers. These are in a league of their own and should be treated with care.

Only persons you trust should have admin access (or even physical access - depending on security requirements) to a Domain Controller. Once someone gains those rights, it is trivial for anyone with a bit of sense to escalate their rights to Domain and/or Enterprise admin of the entire forest. If they intend to cause damage then from that point all hope is lost.

Quite simply, if you don't trust the remote admins, then I would suggest using a read-only domain controller (RODC) instead or not granting this level of privilege in the first place. Not granting rights helps with the security issue, but an RODC overcomes the risk if the machine is compromised. Like I say, with physical access, anyone with a little sense can do just about anything, and a knowledgeable person could access a Domain Admin account in as little as 10 minutes.

If remote admins need rights to manage user accounts/computer objects, then use the delegation of control process as previously described to achieve that and have them use management tools on a workstation. Lights-out management tools such as HP iLO or Dell DRAC make it really easy for you to remotely manage a DC without driving to site, and that would be my preferred solution to granting excessive rights unnecessarily.

The general rule is - if you are granting Domain Admin rights to someone who is NOT ultimately responsible for the strategic governance of making the entire domain/forest tick, then don't grant those rights.


Author Comment

ID: 38402456
Good point Matt, and after discussion with another Admin, he said the same thing - even with a 'custom' admin account, it would not be to hard to gain proper admin again.

Unfortunately it isn't my choice to give them such control but I'll use 'Server Operators' and 'Account Operators' for them, and good communication :)

In heinsight, yes, a RODC might have been more applicable.

Thanks for your help.

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question