RE: local administrator on a domain controler...
- From: Allen Firouz <AllenFirouz@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 7 Jun 2005 12:51:04 -0700
Make the account a member of one or both of the following groups:
Account Operators (which can log on locally, Shut down the system and has
no members, and it can create and manage users and groups in the domain,
including its own membership and that of the Server Operators. This group is
a service administrator because it can modify Server Operators, which in turn
can modify domain controller settings. As a best practice, leave the
membership of this group empty and do not use it at all for any delegated
administration)
Server Operators (which can Back up files and directories, Change the system
time, Force shutdown from a remote system, Allow log on locally, Restore
files and directories, Shut down the system)
The rights associated with each group are defined in this white paper:
http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
-Allen Firouz
"rbus" wrote:
> Hello !
>
> I need to set up an administrative account which can log on a w2k3 DC.
> This account must be able to logon, to start and stop services but not to
> administrate the full domain nor access to administrative shares on remote
> computers.
> Do you know how could I do that ?
>
> Thanks !
> Cheers
> rb
>
>
>
.
- References:
- local administrator on a domain controler...
- From: rbus
- local administrator on a domain controler...
- Prev by Date: RE: Block GPO inheritance from "computers" OU
- Next by Date: Re: logon to AD through firewall
- Previous by thread: local administrator on a domain controler...
- Next by thread: Re: local administrator on a domain controler...
- Index(es):
Relevant Pages
|
