Limited Administrator on Domain Controller

We want to setup limited administrators on domain controllers at field sites to allow a local IT person the ability to;
Start/Stop services
Modify files/folders (NTFS permissions are set on those files already)
Run backups/ restores

In active directory they need to access an OU that is for their site with the following abilities
Create/ Delete/ Modify groups
Create/ Delete/ Modify computes
Add computers to the domain

And on users in the same OU
reset password
unlock a user
add/remove a user to a group

The AD permissions I have set using delegate control and that works well for us but there are other problems.

We used to use restricted groups in GPO to add the account to the local administrators group on the server but we found that this is actually adding them to the administrators group in the domain, which is a member of domain admins, which gives them full domain admin rights.

What I have tried now using restricted groups in GPO I have added the user to the following groups
Backup Operators
Server Operators
Remote Desktop Users

I have also granted Remote Desktop users login via remote desktop rights in the same GPO (this is removed by default on domain controllers)

Now the user can log into the server and can modify file/folder permissions but they can not
Open services.msc
Open ADUC

Most servers are 2012 R2 but a few are 2008 R2

-eb
LVL 23
Erik BjersPrincipal Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Miguel Angel Perez MuñozCommented:
Start/Stop services
Modify files/folders (NTFS permissions are set on those files already)
Run backups/ restores

This could be done using editing domain controllers policy or adding new policy under domain controller OU. Aditionally you can set up more granularity creating sub ous and placing this policys under, aplying only desired DC (instead of all)

In active directory they need to access an OU that is for their site with the following abilities
Create/ Delete/ Modify groups
Create/ Delete/ Modify computes
Add computers to the domain

And on users in the same OU
reset password
unlock a user
add/remove a user to a group

Delegate this task using delegation AD: http://www.tomshardware.co.uk/faq/id-1943903/delegate-domain-account-creation-task-user-windows-server-2012.html

I prefer delegate over a group user instead of, easy to change.
Erik BjersPrincipal Systems AdministratorAuthor Commented:
Miguel,

As I said in my post we are delegating rights on the OU in AD but the local administrator can not open ADUC.

We also already have the domain controller in it's own OU (one for each site) under the domain controllers OU and we are applying GPOs here.

My question is what rights do I need to assign and/or what groups do I need to add the account to using that GPO.

eb
Muhammad BurhanManager I.T.Commented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Jeff GloverSr. Systems AdministratorCommented:
If you are running at least server 2008, you would be better off converting the DCs at those site to Read Only DCs. Then you can assign a group or user as adminstrator without giving them AD rights.
Erik BjersPrincipal Systems AdministratorAuthor Commented:
But if the DC is a read only they will not be able to edit users or groups on their server and as many of these sites are in very remote locations editing AD objects on a different server can be almost impossible plus they would then need the rights at that server.
Jeff GloverSr. Systems AdministratorCommented:
They most certainly will be able to do any task they have permission to do. The common misconception with RODCs is that when you open the AD tools on the server, it connects to the local server. (this is one reason why some hate them. They do not understand them. A common issue). When you open AD tools like Users and Computers or Sites and Services on a RODC, you actually are connecting to the nearest Read/Write DC to make changes, not the local RODC. The local copy of AD is just that, a copy. The only real thing that happens is it caches the passwords of those who logon so in case of loss of connectivity with your root, you can still logon. (Does not cache Administrator passwords unless you override the default restrictions)  It is exactly the same as if you installed the Remote Server Admin tools for AD on a Workstation. This happens by default. When you open the MMC, look at the top of the tree on the left. It will say what server you are connecting to right next to the name I.E, Active Directory Users and Computers[Server1.Domain.Com]
  The AD permissions are handled by Delegating Authority. To Delegate, you select the OU you want to delegate permission to, right click, and select Delegate Control. The Wizard will guide you through. (Unlocking users is an extended right called Read Lockout time and Write Lockout time)
Erik BjersPrincipal Systems AdministratorAuthor Commented:
The problem is that so far the only way I have been able to give access to ADUC is to put the user in the local administrators group on the server via restricted groups.  But this also puts them in the domain\administrators group giving them full access to all OUs in ADUC as well as sites and services, DNS, DHCP, and other things they are not supposed to mess with.

If they are connecting to a remote server they would still need the rights to open ADUC on the local server which means (I think) giving them admin rights.

Another issue is these servers are already built and promoted so converting them to RODC may not be a viable option.

I have not had time to go through the article posted earlier but I think that looks like the best option.
Jeff GloverSr. Systems AdministratorCommented:
I described exactly how I designed my company to do it, and it does it quite well. 2 Datacenters with Root Read/Write DCs and 30 branch offices each with an RODC and a local administrator/Desktop Technician assigned to manage it. The rights you want to give are not much more than what we give our local admins. None of our local admins has domain admin rights. We use restricted groups to add tehm to the local admin group in all workstations and non-critical servers.
   As for opening ADUC, just install it on your Workstation and it will open for anyone. You just can't do anything with it. All users have read access to AD to a point.
  As for the option, demote and then promote as RODC. you just need to run RODC prep in the forest first.
  The reason putting them in the "Administrators"Group on the DC adds them to Administrators in AD is that there are no local groups on a DC. The Security Accounts MAnager (SAM) does not exist. It is replaced with AD. RODCs give you a way to go around that by assigning a person to manage the RODC just like he was the administrator of a File server.
Erik BjersPrincipal Systems AdministratorAuthor Commented:
Hello all,

I am still in the process of testing the solutions you have provided and I should select an answer by the end of the week.

Thanks for all the good ideas,

eb
Erik BjersPrincipal Systems AdministratorAuthor Commented:
Hello all,

Thanks for the great options I have been able to put together a workable solution based on your responses.

Sorry it took me a while to close this but I went on vacation without my laptop...

eb
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.