Limited domain admin access

Need some guidance or assistance in how to give and IT staff member limited domain access.  He works at our facility off-site so he needs to be able to login to the domain controllers at his facility but not have full domain admin rights.  Can someone help with a guide or documentation of how to do this or point me in the right direction?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Russ SuterSenior Software DeveloperCommented:
I'm a bit confused as to why you would want someone who isn't a domain admin to log in to a domain controller. Do you mean you need him to authenticate against the domain controller?

What rights & permissions does he need to perform his job?

Have you considered a two factor authentication system?
dbaker213Author Commented:
He doesn't need to authenticate against the domain controller.....this person is the domain admin of the off site location so he would need to be able to log in, restart, shut down the DC at the site that the DCs are at physically....does this make sense Russ?
Is there a way to make him admin of just that OU within the overall domain of the company.
Really just trying to give him domain access to just what he has at his location.
Russ SuterSenior Software DeveloperCommented:
Gotcha. A couple of things come to mind.

1. If you are using multiple domains then you can make him a domain admin for just the domain of concern.
2. Explicit deny permissions ALWAYS take precedence over allow permissions. If you want to restrict his access to certain areas of a domain you can always set explicit deny permissions on his account. Better yet, create a group with the appropriate explicit deny permissions set and make sure his account is a member of that group.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

dbaker213Author Commented:
Within the security tab and the advanced option is there a detailed guide of what to deny...there seems to be quite a few options that i am not totally familiar with......
Lee W, MVPTechnology and Business Process AdvisorCommented:
A domain admin is a person who administers the ENTIRE Active Directory Domain.  Period.

If the person is the SITE admin - who handles issues at the site - then you can delegate rights to allow them to manage the OU for that site (assuming you have broken down your AD structure at least in part by site).  You can (should) create a workstation admin group and a server admin group in the domain that has rights to manage the workstations only and the other for the servers only EXCLUDING the DCs.

If you need the person to have the ability to shut down the DC, you can modify the user rights on that system to give him the right to shutdown.

Keep in mind, all users should be given the MINIMUM rights required to do the tasks you've assigned to them... and no more.

Keep in mind, your security requirements have not be specified in great detail... exactly what is appropriate for your organization depends on what your organization needs.
Peter HutchisonSenior Network Systems SpecialistCommented:
Two possible ways to do it:
1. Add user to the Builtin Administrators group. This will allow login and manage the server (like a local admin) but NOT give Domain Admin rights.
2. Use the Security Policy console to give restart, shutdown, login etc rights to the user.
dbaker213Author Commented:
So we have structured the groups according to what you have stated and the permissions were adjusted but what is puzzling is that the problem is the ability for this user to have shut down capabilities on the domain controller....
Toni UranjekConsultant/TrainerCommented:
Which version of Windows Server do you have?
Muhammad BurhanManager I.T.Commented:
If he only needs read-only access, I believe AD will allow this by default. Though if he needs additional access, but not full domain admin privileges, simply go into Active Directory Users & Computers, enable advanced features (view> advanced features), and then you can right click on your domain/OUs, go to properties, and there'll be a security tab there to grant specific users/groups additional permissions.
dbaker213Author Commented:
Toni we are on server 2012
Toni UranjekConsultant/TrainerCommented:
Since Windows 2008 supports Administrator Role Separation, if you are using RODC.

Administrator Role Separation

I don't know if RODC is an option for you, but ARS is exactly what you are looking for.
dbaker213Author Commented:
right clicked on the OU and delegated control for the group in question and when trying to log in to the domain controller i now get the error "the connection was denied because the user account is not authorized for remote login."
Lee W, MVPTechnology and Business Process AdvisorCommented:
I may not have been clear before - if he JUST needs to shut down the server, grant him the appropriate rights:

I believe that's Allow logon locally and Shut down the system.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AmitIT ArchitectCommented:
Add user to account operators groups. That is enough for your requirement.
Peter HutchisonSenior Network Systems SpecialistCommented:
The following groups are allowed to 'log on locally' and 'shutdown the system' on DCs:
Account operators, backup operators, print operators, server operators, administrators
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.