Grant domain admin-like credentials

Hi Experts.   Can I get advice on giving a user domain admin like creds without making them domain admin?   They should have local admin privileges on all servers and can add/remove/change users.    

Two domains, one w2k8 and one w2k12 r2

Thanks in advance

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
You can make a local admin on a server but the such user can change to a Domain Admin.

You are between a rock and a hard place. They are either Administrators or not.
alexsupertrampAuthor Commented:
i'm not sure you are accurate on that one john.   i believe there is a way to get a user admin rights on an ou via delegate control or group policy.  that's the type of information i'm looking for.
JohnBusiness Consultant (Owner)Commented:
An Admin can change anything. And what you want done needs admin credentials
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

JohnBusiness Consultant (Owner)Commented:
One practical (but very detailed) solution for is Beyond Trust

This is an extension of Group Policies and allows you to define specific tasks that a "user" could do. So you would have to approach from the point of view of detailing the tasks (as opposed to granting overall permission and hoping for the best).
Lee W, MVPTechnology and Business Process AdvisorCommented:
Really depends on what you want them to do.

If you want them to have admin rights on all workstations and servers EXCEPT domain controllers, I would recommend creating a couple of groups - "Workstation Admins" and "Server Admins" - place the Workstation Admins group in the local admins group on all workstations.  Place the server ADmins group in all the local admins groups on the servers EXCEPT the domain controllers (which don't have local admins groups).

Users who you want to be server admins, add to the server admins group.  Users who you want to be workstation admins with admin rights on the workstations, you put in the Workstation admins group.

If you want users to have rights to create/modify users in ACtive Directory, you can delagate access for an OU or OUs to a particular group.  If you want more customized access rights, create special domain groups ("Domain Controller Managers" for example) and customize the user rights assignment for that group.  Then put the users in the group.  It's potentially time consuming to setup, but all very possible...
You can make a local admin on a server but the such user can change to a Domain Admin.

Making someone a local admin on your member computers (client or server) does not give give the ability to elevate to a domain admin. You are confusing a standalone or member servers local SAM with AD. Domain\Administrators (scope = domain) is not equivalent to Server\Administrators (scope = host).

i'm not sure you are accurate on that one john.   i believe there is a way to get a user admin rights on an ou via delegate control or group policy.  that's the type of information i'm looking for.

Correct, delegation is achieved via group policy. There is a detailed article here on the Microsoft wiki. As far as delegating out rights for user, group, computer, and other object management within AD. You can do this via either the delegation wizard (see this article here), or by modifying the advanced security of the OU and applying that permission to objects of a certain type (Computer, User, etc.), or via scripting (PowerShell, batch, etc.). If you're just starting out with delegating out rights, use the delegation wizard via Active Directory Users and Computers. I always recommend testing changes in a pre-production environment before making changes to your production AD environment. The good news, is no matter what you do, a domain admin can always undo it ... just might be painful.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
Totally disagree with the first few comments by JH and you do not need to buy 3rd party tool

Follow my process to create global admins ("...local admin privileges on all servers...")

Finer delegation can be done like this and extended with Delegwiz.inf ("...add/remove/change users...")

As for local admins, you can set passwords via

After that consider having tiers. DAs should not login to servers interactively because password hashes can be harvested

Aditional motivation not to give people Domain Admins. So, in essence, all users that currently have DA is able to get password hashes for all users. I would do audit and get people weak passwords to change their passwords
alexsupertrampAuthor Commented:
Thanks for your solutions.  I used the delegation wizard in conjunction with the restricted groups gpo and it seems to be working will for our new staff.   I also appreciate the additional granular info from Shaun.  I will review this as well.
alexsupertrampAuthor Commented:
Hi everyone.  I have come across a problem where the person with delegated privileges cannot move a workstations from the "computer" group, which is the default group machines land in when added to the domain, to a different OU.     Such as in my screen shot, i need all workstations mobed into the "ldi-pcs" folder so that group policies can take effect.    The "computer" ou is not available in GPO manager to link a GPO to.  Any idea on how to resolve this?

I have also manually given him full control through the "security" tab for "computers" in ADUC.
Shaun VermaakTechnical SpecialistCommented:
All PCs need to be in ldi-pcs? Why not just use redircmp and set it to the default?
alexsupertrampAuthor Commented:
that's good advice shaun.  i did end up resolving it for now by giving him full control over the "computers" OU.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.