Limited Administrator on Domain Controller
We want to setup limited administrators on domain controllers at field sites to allow a local IT person the ability to;
Start/Stop services
Modify files/folders (NTFS permissions are set on those files already)
Run backups/ restores
In active directory they need to access an OU that is for their site with the following abilities
Create/ Delete/ Modify groups
Create/ Delete/ Modify computes
Add computers to the domain
And on users in the same OU
reset password
unlock a user
add/remove a user to a group
The AD permissions I have set using delegate control and that works well for us but there are other problems.
We used to use restricted groups in GPO to add the account to the local administrators group on the server but we found that this is actually adding them to the administrators group in the domain, which is a member of domain admins, which gives them full domain admin rights.
What I have tried now using restricted groups in GPO I have added the user to the following groups
Backup Operators
Server Operators
Remote Desktop Users
I have also granted Remote Desktop users login via remote desktop rights in the same GPO (this is removed by default on domain controllers)
Now the user can log into the server and can modify file/folder permissions but they can not
Open services.msc
Open ADUC
Most servers are 2012 R2 but a few are 2008 R2
-eb
Start/Stop services
Modify files/folders (NTFS permissions are set on those files already)
Run backups/ restores
In active directory they need to access an OU that is for their site with the following abilities
Create/ Delete/ Modify groups
Create/ Delete/ Modify computes
Add computers to the domain
And on users in the same OU
reset password
unlock a user
add/remove a user to a group
The AD permissions I have set using delegate control and that works well for us but there are other problems.
We used to use restricted groups in GPO to add the account to the local administrators group on the server but we found that this is actually adding them to the administrators group in the domain, which is a member of domain admins, which gives them full domain admin rights.
What I have tried now using restricted groups in GPO I have added the user to the following groups
Backup Operators
Server Operators
Remote Desktop Users
I have also granted Remote Desktop users login via remote desktop rights in the same GPO (this is removed by default on domain controllers)
Now the user can log into the server and can modify file/folder permissions but they can not
Open services.msc
Open ADUC
Most servers are 2012 R2 but a few are 2008 R2
-eb
ASKER
Miguel,
As I said in my post we are delegating rights on the OU in AD but the local administrator can not open ADUC.
We also already have the domain controller in it's own OU (one for each site) under the domain controllers OU and we are applying GPOs here.
My question is what rights do I need to assign and/or what groups do I need to add the account to using that GPO.
eb
As I said in my post we are delegating rights on the OU in AD but the local administrator can not open ADUC.
We also already have the domain controller in it's own OU (one for each site) under the domain controllers OU and we are applying GPOs here.
My question is what rights do I need to assign and/or what groups do I need to add the account to using that GPO.
eb
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
But if the DC is a read only they will not be able to edit users or groups on their server and as many of these sites are in very remote locations editing AD objects on a different server can be almost impossible plus they would then need the rights at that server.
They most certainly will be able to do any task they have permission to do. The common misconception with RODCs is that when you open the AD tools on the server, it connects to the local server. (this is one reason why some hate them. They do not understand them. A common issue). When you open AD tools like Users and Computers or Sites and Services on a RODC, you actually are connecting to the nearest Read/Write DC to make changes, not the local RODC. The local copy of AD is just that, a copy. The only real thing that happens is it caches the passwords of those who logon so in case of loss of connectivity with your root, you can still logon. (Does not cache Administrator passwords unless you override the default restrictions) It is exactly the same as if you installed the Remote Server Admin tools for AD on a Workstation. This happens by default. When you open the MMC, look at the top of the tree on the left. It will say what server you are connecting to right next to the name I.E, Active Directory Users and Computers[Server1.Domain.C
The AD permissions are handled by Delegating Authority. To Delegate, you select the OU you want to delegate permission to, right click, and select Delegate Control. The Wizard will guide you through. (Unlocking users is an extended right called Read Lockout time and Write Lockout time)
The AD permissions are handled by Delegating Authority. To Delegate, you select the OU you want to delegate permission to, right click, and select Delegate Control. The Wizard will guide you through. (Unlocking users is an extended right called Read Lockout time and Write Lockout time)
ASKER
The problem is that so far the only way I have been able to give access to ADUC is to put the user in the local administrators group on the server via restricted groups. But this also puts them in the domain\administrators group giving them full access to all OUs in ADUC as well as sites and services, DNS, DHCP, and other things they are not supposed to mess with.
If they are connecting to a remote server they would still need the rights to open ADUC on the local server which means (I think) giving them admin rights.
Another issue is these servers are already built and promoted so converting them to RODC may not be a viable option.
I have not had time to go through the article posted earlier but I think that looks like the best option.
If they are connecting to a remote server they would still need the rights to open ADUC on the local server which means (I think) giving them admin rights.
Another issue is these servers are already built and promoted so converting them to RODC may not be a viable option.
I have not had time to go through the article posted earlier but I think that looks like the best option.
I described exactly how I designed my company to do it, and it does it quite well. 2 Datacenters with Root Read/Write DCs and 30 branch offices each with an RODC and a local administrator/Desktop Technician assigned to manage it. The rights you want to give are not much more than what we give our local admins. None of our local admins has domain admin rights. We use restricted groups to add tehm to the local admin group in all workstations and non-critical servers.
As for opening ADUC, just install it on your Workstation and it will open for anyone. You just can't do anything with it. All users have read access to AD to a point.
As for the option, demote and then promote as RODC. you just need to run RODC prep in the forest first.
The reason putting them in the "Administrators"Group on the DC adds them to Administrators in AD is that there are no local groups on a DC. The Security Accounts MAnager (SAM) does not exist. It is replaced with AD. RODCs give you a way to go around that by assigning a person to manage the RODC just like he was the administrator of a File server.
As for opening ADUC, just install it on your Workstation and it will open for anyone. You just can't do anything with it. All users have read access to AD to a point.
As for the option, demote and then promote as RODC. you just need to run RODC prep in the forest first.
The reason putting them in the "Administrators"Group on the DC adds them to Administrators in AD is that there are no local groups on a DC. The Security Accounts MAnager (SAM) does not exist. It is replaced with AD. RODCs give you a way to go around that by assigning a person to manage the RODC just like he was the administrator of a File server.
ASKER
Hello all,
I am still in the process of testing the solutions you have provided and I should select an answer by the end of the week.
Thanks for all the good ideas,
eb
I am still in the process of testing the solutions you have provided and I should select an answer by the end of the week.
Thanks for all the good ideas,
eb
ASKER
Hello all,
Thanks for the great options I have been able to put together a workable solution based on your responses.
Sorry it took me a while to close this but I went on vacation without my laptop...
eb
Thanks for the great options I have been able to put together a workable solution based on your responses.
Sorry it took me a while to close this but I went on vacation without my laptop...
eb
This could be done using editing domain controllers policy or adding new policy under domain controller OU. Aditionally you can set up more granularity creating sub ous and placing this policys under, aplying only desired DC (instead of all)
Delegate this task using delegation AD: http://www.tomshardware.co.uk/faq/id-1943903/delegate-domain-account-creation-task-user-windows-server-2012.html
I prefer delegate over a group user instead of, easy to change.