Re: Grant Administrative Access to a Domain Controller

Archi one other thing . .

To clarify, this user cannot be a member of the domain admins group,
but shouldn't be if they are not managing AD. Use the capability of AD
to delegate the appropiate rights.

Matt


mfarr wrote:
Archi,

My colleague Mike is correct in saying you can deny access to Active
Driectory but still allow logon to the DC's. To do this, delegate read
only rights to your restricted administrator to everything within AD
then add that user to the list of accounts that can log on locally to
the dc within the Domain Controller Security Policy. Within the Domain
Controller Security Policy are also options to log on as a service,
etc for management functionality.

I recommend checking out Active Administrator from Scriptlogic to
handle the delegations of control within AD. With Active Administrator
you can easily configure these restricted permission within AD for your
admins via permissions templates that even self heal. Good luck.

Matt


Archi wrote:
We have a group Domain Server Operators and we need to give them admin rights
to domain controllers to restart services, install software and etc. But they
should not have rights to Active directory

"Jorge Silva" wrote:

Hi
Can you explain exactly what do you need to do?
also have a look at :
Step-by-Step Guide to Using the Delegation of Control Wizard
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx

--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Archi" <Archi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:24F63807-E425-4294-AFFD-6A36ACD3DB97@xxxxxxxxxxxxxxxx
I need to give admin access to domain controllers for a certain domain
group
but without accessing Active directory.
Any options?


.

Relevant Pages

  • Re: Grant Administrative Access to a Domain Controller
    ... * This posting is provided "AS IS" with no warranties and confers no rights! ... to delegate the appropiate rights. ... Controller Security Policy are also options to log on as a service, ... to domain controllers to restart services, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Grant Administrative Access to a Domain Controller
    ... To do this, delegate read ... the dc within the Domain Controller Security Policy. ... Controller Security Policy are also options to log on as a service, ... I recommend checking out Active Administrator from Scriptlogic to ...
    (microsoft.public.windows.server.active_directory)