Solved

Windows 2008 R2 Domain Controller + Services with Local Admin Rights

Posted on 2016-07-24
4
56 Views
Last Modified: 2016-07-30
We are setting up McAfee SIEM in our environment to tail the DNS log files on our DNS servers which are also DC's. The application requires the service account to be a local admin but of course "local admin" does not exist on a DC... I did find the article below on using the Netlocal group command....

I tried this in my lab and did add the test user to the local administrator group. Here are my questions

What actual rights would this user account have in AD and on other DC?

http://www.richardawilson.com/2010/06/add-user-as-local-administrator-on.html
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 17

Accepted Solution

by:
Learnctx earned 500 total points
ID: 41726881
If you follow the advice above you would be making the user a member of the Administators group in the domain. There is no local administrators group on a domain controller in the traditional sense because it does not use the local SAM database. Its database is the AD database now (Ndts.dit). The person who wrote that article is terrible ignore them.

I would say export the logs to a network share and have the McAfee seem consume them from that location. This is very common for other solutions like Splunk as well. Otherwise look at installing their agent if they have one on the DC which would usually run with system privileges.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41728586
Thank you for your feedback. I have been doing extra testing in my lab today and found the when adding a user to the domain "Administrators" group gave them full access to AD.  I did find after adding my test user to the Server Operators group gave them enough access to the DC not only read-only access in AD which it perfect.

I guess I am having a mental block. You think Domain Admin group as the main group but get confused with the "Administrators" group as well..
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41728632
Yes, it happens. That guys article is truly scary stuff though and really a perfect example of someone out of their depth giving out advice. I was going to comment on his article but I see many others have already and he still has not updated his advice. Very poor form not to go back and correct himself.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 41728664
agreed could you clear up my confusion so to the permissioin difference between the "Administrators" group and Domain Admins.... if any
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question