Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.
COURSE of the MONTH
11 days, 14 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Windows 2008 R2 Domain Controller + Services with Local Admin Rights
Posted on 2016-07-24
We are setting up McAfee SIEM in our environment to tail the DNS log files on our DNS servers which are also DC's. The application requires the service account to be a local admin but of course "local admin" does not exist on a DC... I did find the article below on using the Netlocal group command....
I tried this in my lab and did add the test user to the local administrator group. Here are my questions
What actual rights would this user account have in AD and on other DC?
http://www.richardawilson.com/2010/06/add-user-as-local-administrator-on.html
I tried this in my lab and did add the test user to the local administrator group. Here are my questions
What actual rights would this user account have in AD and on other DC?
http://www.richardawilson.com/2010/06/add-user-as-local-administrator-on.html
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
2
2
4 Comments
Active today
If you follow the advice above you would be making the user a member of the Administators group in the domain. There is no local administrators group on a domain controller in the traditional sense because it does not use the local SAM database. Its database is the AD database now (Ndts.dit). The person who wrote that article is terrible ignore them.
I would say export the logs to a network share and have the McAfee seem consume them from that location. This is very common for other solutions like Splunk as well. Otherwise look at installing their agent if they have one on the DC which would usually run with system privileges.
I would say export the logs to a network share and have the McAfee seem consume them from that location. This is very common for other solutions like Splunk as well. Otherwise look at installing their agent if they have one on the DC which would usually run with system privileges.
Active today
Thank you for your feedback. I have been doing extra testing in my lab today and found the when adding a user to the domain "Administrators" group gave them full access to AD. I did find after adding my test user to the Server Operators group gave them enough access to the DC not only read-only access in AD which it perfect.
I guess I am having a mental block. You think Domain Admin group as the main group but get confused with the "Administrators" group as well..
I guess I am having a mental block. You think Domain Admin group as the main group but get confused with the "Administrators" group as well..
Active today
Yes, it happens. That guys article is truly scary stuff though and really a perfect example of someone out of their depth giving out advice. I was going to comment on his article but I see many others have already and he still has not updated his advice. Very poor form not to go back and correct himself.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed.
Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses
Course of the Month11 days, 14 hours left to enroll
752 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.