asked on

Windows 2008 R2 Domain Controller + Services with Local Admin Rights

We are setting up McAfee SIEM in our environment to tail the DNS log files on our DNS servers which are also DC's. The application requires the service account to be a local admin but of course "local admin" does not exist on a DC... I did find the article below on using the Netlocal group command....

I tried this in my lab and did add the test user to the local administrator group. Here are my questions

What actual rights would this user account have in AD and on other DC?

http://www.richardawilson.com/2010/06/add-user-as-local-administrator-on.html

ASKER CERTIFIED SOLUTION

Aard Vark

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

compdigit44

ASKER

Thank you for your feedback. I have been doing extra testing in my lab today and found the when adding a user to the domain "Administrators" group gave them full access to AD. I did find after adding my test user to the Server Operators group gave them enough access to the DC not only read-only access in AD which it perfect.

I guess I am having a mental block. You think Domain Admin group as the main group but get confused with the "Administrators" group as well..

Aard Vark

Yes, it happens. That guys article is truly scary stuff though and really a perfect example of someone out of their depth giving out advice. I was going to comment on his article but I see many others have already and he still has not updated his advice. Very poor form not to go back and correct himself.

compdigit44

ASKER

agreed could you clear up my confusion so to the permissioin difference between the "Administrators" group and Domain Admins.... if any