Assign Administrator Permission for a Group on 1 DC Only out of 3

Posted on 2012-09-15
Last Modified: 2012-09-15

I have 2 Windows 2008 R2 DC Servers in one site in one location, which is headquarters, then another DC in another site. All on the same domain joined by a site-to-site VPN link.

I want to enable a group I have created in AD containing 2 users to have Administrative power over their DC, without them being able to mess with the other two.

Is this possible and how?
Question by:zarok
    LVL 77

    Expert Comment

    by:David Johnson, CD, MVP
    too bad each site doesn't have it's own subdomain i.e.,, then its's simple domain admins.. otherwise you seem to be  left with delegation

    Author Comment

    Yeh I considered doing 2 subs when i set this all up! But every damn article these days on multiple domains under forests advises against it!

    Prob is I'm pretty much finished and this goes into production next week, with the off site server being shipped to them... Kinda an after-thought, hell don't want them accessing the whole domain!! haha

    Author Comment

    I've delegated admin in Sites and Services for the group. But I'm guessing that only allows them to control Site objects under their site?

    I'm sure I need to also delegate in AD somewhere?
    LVL 77

    Assisted Solution

    by:David Johnson, CD, MVP
    Yes create an OU for each group of users and then follow these steps

    Author Comment

    Yeh that isn't quite the same though. That would be travelling down the path of actually 'building' and admin account for that DC. Although entirely possible, would not involve just those steps. That only gives delegation over the object in AD? So they can change 'it'

    Hmm, If i have enough time tomorrow, I might configure it all, then I'll post the steps on here, as there is no information on the internet how to do it and MS certaintly dosnt support it lol
    LVL 58

    Accepted Solution

    Bear in mind that true 'per machine' administrative access is not possible with Domain Controllers. These are in a league of their own and should be treated with care.

    Only persons you trust should have admin access (or even physical access - depending on security requirements) to a Domain Controller. Once someone gains those rights, it is trivial for anyone with a bit of sense to escalate their rights to Domain and/or Enterprise admin of the entire forest. If they intend to cause damage then from that point all hope is lost.

    Quite simply, if you don't trust the remote admins, then I would suggest using a read-only domain controller (RODC) instead or not granting this level of privilege in the first place. Not granting rights helps with the security issue, but an RODC overcomes the risk if the machine is compromised. Like I say, with physical access, anyone with a little sense can do just about anything, and a knowledgeable person could access a Domain Admin account in as little as 10 minutes.

    If remote admins need rights to manage user accounts/computer objects, then use the delegation of control process as previously described to achieve that and have them use management tools on a workstation. Lights-out management tools such as HP iLO or Dell DRAC make it really easy for you to remotely manage a DC without driving to site, and that would be my preferred solution to granting excessive rights unnecessarily.

    The general rule is - if you are granting Domain Admin rights to someone who is NOT ultimately responsible for the strategic governance of making the entire domain/forest tick, then don't grant those rights.


    Author Comment

    Good point Matt, and after discussion with another Admin, he said the same thing - even with a 'custom' admin account, it would not be to hard to gain proper admin again.

    Unfortunately it isn't my choice to give them such control but I'll use 'Server Operators' and 'Account Operators' for them, and good communication :)

    In heinsight, yes, a RODC might have been more applicable.

    Thanks for your help.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    26 Experts available now in Live!

    Get 1:1 Help Now