dbaker213
asked on
Limited domain admin access
Need some guidance or assistance in how to give and IT staff member limited domain access. He works at our facility off-site so he needs to be able to login to the domain controllers at his facility but not have full domain admin rights. Can someone help with a guide or documentation of how to do this or point me in the right direction?
ASKER
He doesn't need to authenticate against the domain controller.....this person is the domain admin of the off site location so he would need to be able to log in, restart, shut down the DC at the site that the DCs are at physically....does this make sense Russ?
Is there a way to make him admin of just that OU within the overall domain of the company.
Really just trying to give him domain access to just what he has at his location.
Is there a way to make him admin of just that OU within the overall domain of the company.
Really just trying to give him domain access to just what he has at his location.
Gotcha. A couple of things come to mind.
1. If you are using multiple domains then you can make him a domain admin for just the domain of concern.
2. Explicit deny permissions ALWAYS take precedence over allow permissions. If you want to restrict his access to certain areas of a domain you can always set explicit deny permissions on his account. Better yet, create a group with the appropriate explicit deny permissions set and make sure his account is a member of that group.
1. If you are using multiple domains then you can make him a domain admin for just the domain of concern.
2. Explicit deny permissions ALWAYS take precedence over allow permissions. If you want to restrict his access to certain areas of a domain you can always set explicit deny permissions on his account. Better yet, create a group with the appropriate explicit deny permissions set and make sure his account is a member of that group.
ASKER
Within the security tab and the advanced option is there a detailed guide of what to deny...there seems to be quite a few options that i am not totally familiar with......
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So we have structured the groups according to what you have stated and the permissions were adjusted but what is puzzling is that the problem is the ability for this user to have shut down capabilities on the domain controller....
Which version of Windows Server do you have?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Toni we are on server 2012
Since Windows 2008 supports Administrator Role Separation, if you are using RODC.
Administrator Role Separation
https://technet.microsoft.com/en-us/library/cc753170(v=ws.10).aspx
I don't know if RODC is an option for you, but ARS is exactly what you are looking for.
Administrator Role Separation
https://technet.microsoft.com/en-us/library/cc753170(v=ws.10).aspx
I don't know if RODC is an option for you, but ARS is exactly what you are looking for.
ASKER
right clicked on the OU and delegated control for the group in question and when trying to log in to the domain controller i now get the error "the connection was denied because the user account is not authorized for remote login."
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Add user to account operators groups. That is enough for your requirement.
The following groups are allowed to 'log on locally' and 'shutdown the system' on DCs:
Account operators, backup operators, print operators, server operators, administrators
Account operators, backup operators, print operators, server operators, administrators
What rights & permissions does he need to perform his job?
Have you considered a two factor authentication system?