Granting local admin rights on domain controller

Hi I'm looking for a way to give a group local admin rights on DC's (preferably all servers in domain) without them getting any AD rights. This needs to happen because AD is managed by 1 team and the OS another team. I've looked through many forums and it doesn't seem possible as the DC's only have the builtin-admin group. I've tried creating a GPO restricted group but this gives them AD rights also.

Also, is it possible to give a group local admin rights to all member servers (without manually adding to local groups individually)?

Any info would be great, thanks!

As far as i know there is no such thing in local admin on a Domain Controller. You will need to create a new AD security group for member servers and add
it to the local Administrators group. Using Group Policy you can look into Restricted Groups or alternatively you can add the AD group to the local Administrators group manually.

The ability to separate local server management tasks on DC from Active Directory administration was started since Windows Server 2008 based RODCs introduced. You will not get this separation while dealing with writable domain controllers.

Thanks for the advice Lanwench and I'll take that onboard..

Your right about the trust issue but as we are a very large organisation certain teams are responsible for certain roles (ie OS, monitoring, DNS, AD ect) so we didn't want to give out domain admin access to too many people. I think for the DC's we may just have to manage the services on it or temporarily grant access as needed.

Cheers

Hello Micka,

It is correct to say that there use to be no Local Admin Group on DC's so for member servers you can use Restricted groups:

Not sure but i think you can allow permissions using the built-in administrators group. If you look closer in the AD security the permissions for the Administrators groups is Replication, which is not a big set of permissions
compared to "domain admins"