General discussion

Locked

Non Domain Admin looking after a DC...?

By paul.hirst ·
I need to have DCs at various offices, and the local IT people will need to be able to administer the box that is their DC (e.g. in case they needed to add a new NIC or something). However, I don't want them to have any wider rights to the domain, and I ceratinly don't want to give them Domain Admin rights.
How can I do this? DCs don't have local groups, so the usual approach of adding the user to the Local Admins group can't be done.
Any ideas?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Non Domain Admin looking after a DC...?

by rmelendy In reply to Non Domain Admin looking ...

You might try creating an Organational unit for each location. You could then move the appropriate DCs to the corresponding OU and then use the Delegation of Authority wizard to give some administrative rights.

HTH

Rob

Collapse -

Non Domain Admin looking after a DC...?

by paul.hirst In reply to Non Domain Admin looking ...

You can't grant permissions to locally administer a DC this way.
I think you need to grant certain rights to the DC object using ADSI Edit but I can't work out how.

Collapse -

Non Domain Admin looking after a DC...?

by rmelendy In reply to Non Domain Admin looking ...

What exactly are you trying to let the local IT people do?

Collapse -

Non Domain Admin looking after a DC...?

by paul.hirst In reply to Non Domain Admin looking ...

You don't seem to be able to give people any rights whatsoever to the box because there are no local groups. Just Power User rights to the box would be fine, but there is no such thing on a DC. For example, they might need to upgrade AV software, change a device driver, add a Service Pack, add a new hardware item or whatever.

Collapse -

Non Domain Admin looking after a DC...?

by rmelendy In reply to Non Domain Admin looking ...

Last one Paul...I promise. I have a DC. I created an OU call DCOU. I then created a GPO called DCGPO and assigned a user ROb permission to log on locally. I made sure there were no conflicting Default Domain Policies or Domain Controller Policies. I also edited the Local Policy so that Administrators had log on locally rights. After refreshing the policy (secedit /refreshpolicy machine_policy). Administrators and Rob had the right to log on locally to that machine. It would appear the delegation of administration through the GPO policy worked. Just my 2 cents.

Good luck.

Collapse -

Non Domain Admin looking after a DC...?

by paul.hirst In reply to Non Domain Admin looking ...

Thanks for the help Rob - I wasn't being very clear. Yes you're right, you can delegate certain rights to the DC using the DOA wizard. You can additionally delegate other rights to either the DC object or the OU it is in, using ADSI Edit. Trouble is, I want to give a local administrator full rights but only to that one box. It's not at all obvious what rights they will need, and it's a very messy process. I have managed to give them most rights, but there are still many basic things they can't do. Because it's so difficult to do, I suspect this can't be the best approach. Any thoughts?
Of course on a non-DC you just make them a local Admin so it's easy.

Collapse -

Non Domain Admin looking after a DC...?

by paul.hirst In reply to Non Domain Admin looking ...

Point value changed by question poster.

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums