Results 1 to 6 of 6

Thread: Granting local admin rights on domain controller

  1. #1
    Join Date
    Nov 2008
    Posts
    12

    Granting local admin rights on domain controller

    Hi I'm looking for a way to give a group local admin rights on DC's (preferably all servers in domain) without them getting any AD rights. This needs to happen because AD is managed by 1 team and the OS another team. I've looked through many forums and it doesn't seem possible as the DC's only have the builtin-admin group. I've tried creating a GPO restricted group but this gives them AD rights also.

    Also, is it possible to give a group local admin rights to all member servers (without manually adding to local groups individually)?

    Any info would be great, thanks!

  2. #2
    Join Date
    Dec 2005
    Posts
    945

    Re: Granting local admin rights on domain controller

    As far as i know there is no such thing in local admin on a Domain Controller. You will need to create a new AD security group for member servers and add
    it to the local Administrators group. Using Group Policy you can look into Restricted Groups or alternatively you can add the AD group to the local Administrators group manually.

  3. #3
    Join Date
    Sep 2004
    Posts
    150

    Re: Granting local admin rights on domain controller

    The ability to separate local server management tasks on DC from Active Directory administration was started since Windows Server 2008 based RODCs introduced. You will not get this separation while dealing with writable domain controllers.

  4. #4
    Join Date
    Nov 2008
    Posts
    12

    Re: Granting local admin rights on domain controller

    Thanks for the advice Lanwench and I'll take that onboard..

    Your right about the trust issue but as we are a very large organisation certain teams are responsible for certain roles (ie OS, monitoring, DNS, AD ect) so we didn't want to give out domain admin access to too many people. I think for the DC's we may just have to manage the services on it or temporarily grant access as needed.

    Cheers

  5. #5
    Join Date
    Jun 2006
    Posts
    206

    Re: Granting local admin rights on domain controller

    Hello Micka,

    It is correct to say that there use to be no Local Admin Group on DC's so for member servers you can use Restricted groups:

  6. #6
    Join Date
    Sep 2005
    Posts
    1,476

    RE: Granting local admin rights on domain controller

    Not sure but i think you can allow permissions using the built-in administrators group. If you look closer in the AD security the permissions for the Administrators groups is Replication, which is not a big set of permissions
    compared to "domain admins"

Similar Threads

  1. VB development without local admin rights?
    By Bottlenecked in forum Software Development
    Replies: 6
    Last Post: 25-09-2010, 09:02 PM
  2. Granting Domain Users Local Admin Rights
    By Jasonholt in forum Windows Security
    Replies: 2
    Last Post: 22-04-2009, 10:29 PM
  3. adding pc to a domain without admin rights
    By Breckon in forum Active Directory
    Replies: 2
    Last Post: 02-06-2008, 03:46 AM
  4. domain admin rights
    By Billie in forum Active Directory
    Replies: 4
    Last Post: 21-05-2008, 01:52 AM
  5. local admin rights
    By Leonard in forum Windows Server Help
    Replies: 4
    Last Post: 26-04-2008, 04:55 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,640,123.14368 seconds with 17 queries