Granting local admin rights on domain controller

[Micka]

Hi I'm looking for a way to give a group local admin rights on DC's (preferably all servers in domain) without them getting any AD rights. This needs to happen because AD is managed by 1 team and the OS another team. I've looked through many forums and it doesn't seem possible as the DC's only have the builtin-admin group. I've tried creating a GPO restricted group but this gives them AD rights also.

Also, is it possible to give a group local admin rights to all member servers (without manually adding to local groups individually)?

Any info would be great, thanks!

Micka <Micka.3ibwvb@DoNotSpam.com> wrote:
> Hi I'm looking for a way to give a group local admin rights on DC's
> (preferably all servers in domain) without them getting any AD rights.
> This needs to happen because AD is managed by 1 team and the OS
> another team. I've looked through many forums and it doesn't seem
> possible as the DC's only have the builtin-admin group. I've tried
> creating a GPO restricted group but this gives them AD rights also.
>
> Also, is it possible to give a group local admin rights to all member
> servers (without manually adding to local groups individually)?
>
> Any info would be great, thanks!

There's no such thing as a local admin on a DC. I think your company needs
to re-consider how it breaks up its admin duties. This doesn't make any
sense. Someone who doesn't understand AD enough to be trusted with it,
shouldn't be mucking around in the OS on a DC in the first place.

For member servers, create an AD security group (I'd do universal) and add
it to the local Administrators group. You can look into Restricted Groups
(via group policy) or simply add the AD group to the local Administrators
group manually or via startup script.

The capability to separate local server management tasks on a domain
controller from AD administration was introduced in Windows Server
2008-based RODCs - this separation is not available when dealing with
writable domain controllers (Windows Server 2008 and earlier)...

hth
Marcin

"Micka" <Micka.3ibwvb@DoNotSpam.com> wrote in message
news:Micka.3ibwvb@DoNotSpam.com...
>
> Hi I'm looking for a way to give a group local admin rights on DC's
> (preferably all servers in domain) without them getting any AD rights.
> This needs to happen because AD is managed by 1 team and the OS another
> team. I've looked through many forums and it doesn't seem possible as
> the DC's only have the builtin-admin group. I've tried creating a GPO
> restricted group but this gives them AD rights also.
>
> Also, is it possible to give a group local admin rights to all member
> servers (without manually adding to local groups individually)?
>
> Any info would be great, thanks!
>
>
> --
> Micka
> ------------------------------------------------------------------------
> Micka's Profile: http://forums.techarena.in/members/micka.htm
> View this thread: Granting local admin rights on domain controller
>
> http://forums.techarena.in
>

[Micka]

Thanks for the advice Lanwench and I'll take that onboard..

Your right about the trust issue but as we are a very large organisation certain teams are responsible for certain roles (ie OS, monitoring, DNS, AD ect) so we didn't want to give out domain admin access to too many people. I think for the DC's we may just have to manage the services on it or temporarily grant access as needed.

Cheers

Hello Micka,

On the DC's there is no local admin groups. For member servers you can use
Restricted groups:
http://www.frickelsoft.net/blog/?p=13

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi I'm looking for a way to give a group local admin rights on DC's
> (preferably all servers in domain) without them getting any AD rights.
> This needs to happen because AD is managed by 1 team and the OS
> another team. I've looked through many forums and it doesn't seem
> possible as the DC's only have the builtin-admin group. I've tried
> creating a GPO restricted group but this gives them AD rights also.
>
> Also, is it possible to give a group local admin rights to all member
> servers (without manually adding to local groups individually)?
>
> Any info would be great, thanks!
>
> http://forums.techarena.in
>

Hello Micka,

maybe this helps for renaming the client's:
http://www.ss64.com/ntsyntax/qchange.html

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi I'm looking for a way to give a group local admin rights on DC's
> (preferably all servers in domain) without them getting any AD rights.
> This needs to happen because AD is managed by 1 team and the OS
> another team. I've looked through many forums and it doesn't seem
> possible as the DC's only have the builtin-admin group. I've tried
> creating a GPO restricted group but this gives them AD rights also.
>
> Also, is it possible to give a group local admin rights to all member
> servers (without manually adding to local groups individually)?
>
> Any info would be great, thanks!
>
> http://forums.techarena.in
>

Hello Meinolf,

Sorry, wrong posting for this answer.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello Micka,
>
> maybe this helps for renaming the client's:
> http://www.ss64.com/ntsyntax/qchange.html
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>> Hi I'm looking for a way to give a group local admin rights on DC's
>> (preferably all servers in domain) without them getting any AD
>> rights. This needs to happen because AD is managed by 1 team and the
>> OS another team. I've looked through many forums and it doesn't seem
>> possible as the DC's only have the builtin-admin group. I've tried
>> creating a GPO restricted group but this gives them AD rights also.
>>
>> Also, is it possible to give a group local admin rights to all member
>> servers (without manually adding to local groups individually)?
>>
>> Any info would be great, thanks!
>>
>> http://forums.techarena.in
>>

Hello Lanwench [MVP - Exchange],
Actually 2008 RODC's will allow this now.


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4


http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This posting
is provided "AS IS" with no warranties, and confers no rights.



> Micka <Micka.3ibwvb@DoNotSpam.com> wrote:
>
>> Hi I'm looking for a way to give a group local admin rights on DC's
>> (preferably all servers in domain) without them getting any AD
>> rights. This needs to happen because AD is managed by 1 team and the
>> OS another team. I've looked through many forums and it doesn't seem
>> possible as the DC's only have the builtin-admin group. I've tried
>> creating a GPO restricted group but this gives them AD rights also.
>>
>> Also, is it possible to give a group local admin rights to all member
>> servers (without manually adding to local groups individually)?
>>
>> Any info would be great, thanks!
>>
> There's no such thing as a local admin on a DC. I think your company
> needs to re-consider how it breaks up its admin duties. This doesn't
> make any sense. Someone who doesn't understand AD enough to be trusted
> with it, shouldn't be mucking around in the OS on a DC in the first
> place.
>
> For member servers, create an AD security group (I'd do universal) and
> add it to the local Administrators group. You can look into Restricted
> Groups (via group policy) or simply add the AD group to the local
> Administrators group manually or via startup script.
>

You can give permissions through the built-in administrators group. If you
look closer in the AD security the permissions for the Administrators groups
(root of your domain) is Replication, which is not a big set of permissions
compared to "domain admins"

Hope this helps

"Micka" wrote:

>
> Hi I'm looking for a way to give a group local admin rights on DC's
> (preferably all servers in domain) without them getting any AD rights.
> This needs to happen because AD is managed by 1 team and the OS another
> team. I've looked through many forums and it doesn't seem possible as
> the DC's only have the builtin-admin group. I've tried creating a GPO
> restricted group but this gives them AD rights also.
>
> Also, is it possible to give a group local admin rights to all member
> servers (without manually adding to local groups individually)?
>
> Any info would be great, thanks!
>
>
> --
> Micka
> ------------------------------------------------------------------------
> Micka's Profile: http://forums.techarena.in/members/micka.htm
> View this thread: Granting local admin rights on domain controller
>
> http://forums.techarena.in
>
>

Paul Bergson [MVP-DS] <pbbergs@nospam_msn.com> wrote:
> Hello Lanwench [MVP - Exchange],
> Actually 2008 RODC's will allow this now.

Yes, thanks...I just saw Marcin's post on this. That's cool. I haven't
worked much with 2008 yet. People really need to remember to post their
versions! :-)
>
>
>
>> Micka <Micka.3ibwvb@DoNotSpam.com> wrote:
>>
>>> Hi I'm looking for a way to give a group local admin rights on DC's
>>> (preferably all servers in domain) without them getting any AD
>>> rights. This needs to happen because AD is managed by 1 team and the
>>> OS another team. I've looked through many forums and it doesn't seem
>>> possible as the DC's only have the builtin-admin group. I've tried
>>> creating a GPO restricted group but this gives them AD rights also.
>>>
>>> Also, is it possible to give a group local admin rights to all
>>> member servers (without manually adding to local groups
>>> individually)? Any info would be great, thanks!
>>>
>> There's no such thing as a local admin on a DC. I think your company
>> needs to re-consider how it breaks up its admin duties. This doesn't
>> make any sense. Someone who doesn't understand AD enough to be
>> trusted with it, shouldn't be mucking around in the OS on a DC in
>> the first place.
>>
>> For member servers, create an AD security group (I'd do universal)
>> and add it to the local Administrators group. You can look into
>> Restricted Groups (via group policy) or simply add the AD group to
>> the local Administrators group manually or via startup script.

for member server sto the Restricted Groups feature in GPO

for DCs do not delegate stuff ON a DC to anybidy but a domain admin. Do not
try to screw around with permissions. An admin of a DC is an admin in AD!

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Micka" <Micka.3ibwvb@DoNotSpam.com> wrote in message
news:Micka.3ibwvb@DoNotSpam.com...
>
> Hi I'm looking for a way to give a group local admin rights on DC's
> (preferably all servers in domain) without them getting any AD rights.
> This needs to happen because AD is managed by 1 team and the OS another
> team. I've looked through many forums and it doesn't seem possible as
> the DC's only have the builtin-admin group. I've tried creating a GPO
> restricted group but this gives them AD rights also.
>
> Also, is it possible to give a group local admin rights to all member
> servers (without manually adding to local groups individually)?
>
> Any info would be great, thanks!
>
>
> --
> Micka
> ------------------------------------------------------------------------
> Micka's Profile: http://forums.techarena.in/members/micka.htm
> View this thread: Granting local admin rights on domain controller
>
> http://forums.techarena.in
>