Re: Grant Administrative Access to a Domain Controller

---

• From: "Jorge Silva" <jorgesilva_pt@xxxxxxxxxxx>
• Date: Wed, 27 Dec 2006 23:27:56 -0000

---

Jorge you're a BAD boy...
;)

--

I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE

"Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message news:uJV5GAgKHHA.1240@xxxxxxxxxxxxxxxxxxxxxxx

OK, let me try to ask the question as pointed out by the original poster...

He wants some group of persons to:
(1) install software on a DC
(2) restart services on a DC

He does not want that same group of persons
(3) to be domain admin
(4) change ANYTHING in AD in ANY way...

if you guys (Mike and Matt) feel the problem/issue has been described correctly, please explain to me in detailed steps how you are going to configure things so that the original poster is able to accomplish requirements (1), (2), (3) and (4)...

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"mfarr" <mfarr@xxxxxxxxxxxxxxx> wrote in message news:1167249029.682242.42270@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Archi one other thing . .

To clarify, this user cannot be a member of the domain admins group,
but shouldn't be if they are not managing AD. Use the capability of AD
to delegate the appropiate rights.

Matt


mfarr wrote:

Archi,

My colleague Mike is correct in saying you can deny access to Active
Driectory but still allow logon to the DC's. To do this, delegate read
only rights to your restricted administrator to everything within AD
then add that user to the list of accounts that can log on locally to
the dc within the Domain Controller Security Policy. Within the Domain
Controller Security Policy are also options to log on as a service,
etc for management functionality.

I recommend checking out Active Administrator from Scriptlogic to
handle the delegations of control within AD. With Active Administrator
you can easily configure these restricted permission within AD for your
admins via permissions templates that even self heal. Good luck.

Matt


Archi wrote:
> We have a group Domain Server Operators and we need to give them admin > rights
> to domain controllers to restart services, install software and etc. > But they
> should not have rights to Active directory
>
> "Jorge Silva" wrote:
>
> > Hi
> > Can you explain exactly what do you need to do?
> > also have a look at :
> > Step-by-Step Guide to Using the Delegation of Control Wizard
> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx
> >
> > --
> >
> > I hope that the information above helps you.
> > Have a Nice day.
> > Jorge Silva
> > MCSE
> >
> > "Archi" <Archi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:24F63807-E425-4294-AFFD-6A36ACD3DB97@xxxxxxxxxxxxxxxx
> > >I need to give admin access to domain controllers for a certain > > >domain
> > >group
> > > but without accessing Active directory.
> > > Any options?
> >

.

---

• References:
  • Re: Grant Administrative Access to a Domain Controller
    • From: Jorge Silva
  • Re: Grant Administrative Access to a Domain Controller
    • From: mfarr
  • Re: Grant Administrative Access to a Domain Controller
    • From: mfarr
  • Re: Grant Administrative Access to a Domain Controller
    • From: Jorge de Almeida Pinto [MVP - DS]

• Prev by Date: Re: Error when adding Mailbox Store
• Next by Date: Re: mandatory Profile problem
• Previous by thread: Re: Grant Administrative Access to a Domain Controller
• Next by thread: Re: Grant Administrative Access to a Domain Controller
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: FSMO role issues after demoting and re-promoting server ... This posting is provided "AS IS" with no warranties, and confers no rights. ... "Jorge de Almeida Pinto" ... >>>I understand how the seize en transfer process works as I have written ... (microsoft.public.windows.server.active_directory) Re: DCPROMO FAILS, Numerous Event Log Errors ... >> It looks like that DC is trying to request a RID pool from the RID FSMO ... >> # Jorge de Almeida Pinto # ... >>> appear under DOMAIN CONTROLLERS in the AD. ... (microsoft.public.win2000.active_directory) Re: Site replication ... if that site has no DCs, ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > "Jorge de Almeida Pinto" ... (microsoft.public.win2000.active_directory) Re: Site replication ... This posting is provided "AS IS" with no warranties, and confers no rights. ... "Jorge de Almeida Pinto" ... >> Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA ... (microsoft.public.win2000.active_directory) Re: DCPromo failing on a W2k3 R2 server ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > The problem is there are two versions of Adprep in R2. ... >> # Jorge de Almeida Pinto # ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-12