What are the limitations of having remote management of AD without actually being able to log into the server AD?

Hello EE,

I have a situation where corporate wants us to have all remote access and support ability, but will not allow us access to the actual domain controller itself.  They have given us remote ability from a second server to manage DNS and DHCP as well as install ADUC for creating user and computer accounts.  What limitations do we have in support without access to the server.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Helao MwapangashaData Centre: Server EngineerCommented:
Hi operationsIT

none if the account you are using to make the changes to DNS or DHCP and ADUC is part a security group with enough permissions or that has been delegated the appropriate AD permissions.
Guy LidbetterCommented:
What else do you need to do?

Those delegated rights are perfect for user\desktop management purposes so why would you need access to the DC if you have Admin tools installed?

I'm a Senior Global Infrastructure Engineer and I hardly EVER log onto a DC to do anything other than diagnose DC specific issues...
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
We only use RSAT to manage DCs and functions.  The only time I logon to DC is to either reboot it or shutdown for maintenance.  Also note that with PowerShell, even tasks such as rebooting or shutting down will not require you to logon to the DC console.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

operationsITAuthor Commented:
Hello,  I believe this to be correct for managing ADUC, but am concerned as the server is local to us but overseas from the actual admin that can log into the server so if there is a hardware problem and we need to diagnose something we don't have access.
Guy LidbetterCommented:
If there is a hardware problem I imagine the box will need to be powered back on, then can be diagnosed remotely... or will not power back on and there will be an error in the post, a blue screen or (if you have one) remote management card logs.
In this case the affected hardware will need to be replaced... you still don't need local logon...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
operationsITAuthor Commented:
That's what I figured but wanted to get some other backing.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.