Re: Delegating people as Administrators of a DC

From: "Marcin" <marcin@xxxxxxxxxxxxxxxx>
Date: Thu, 26 Feb 2009 20:05:07 -0500

Members of the domain local Administrators group have the same level of
privileges as far as Active Directory is concerned as Domain Admins.
Administrator role separation capability has been introduced in Windows
Server 2008-based domain controllers - and even in this case, it is limited
to Read Only Domain Controllers.
In other words, in your situation, you need to limit administrative access
to domain controllers to only those members of IT staff that you can trust
with full Domain Admin access...

hth
Marcin

"supersonic_oasis" <supersonicoasis@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:C3DB534C-8706-424F-87FE-30DA73582CAF@xxxxxxxxxxxxxxxx

Hi all,

We have an AD consisting of Win 2003 servers. I always log into them as
the
original Domain Administrator I created. We are about to add some more
DCs
and I need some other co-workers to be able to log into them and have
administrator rights (but I don't want them to log in as the Domain
Administrator that I log in as). My original plan was to go to the Local
Users and Groups snap-in and add them to Remote Desktop Users and
Administrators group. However, I just found out you can't use Local Users
and Groups on a DC. What do I need to do? Again, I need them to be able
to
log into the two new DCs, and have admin rights to only those DCs.

Any help is appreciated, thanks.

References:
- Delegating people as Administrators of a DC
  - From: supersonic_oasis

Prev by Date: Re: Issue with home folders
Next by Date: Thanks to Braindumps, I Just Succeded in My Microsoft Certification exams.
Previous by thread: Delegating people as Administrators of a DC
Next by thread: Re: Delegating people as Administrators of a DC
Index(es):
- Date
- Thread

Relevant Pages

Re: Domain Admin .vs Adminstrator Account
... THE Administrator account is the initial or default ... > However, the domain admins group is automatically added to the local> administrators group on all domain members, which means that> the domain admins account has full administrative control over all domain> member machines. ... The administrator account on the other hand, isn't as> powerful in this way (just being an administrator of the domain doesn't mean> you can install software on domain members); the administrator account is> much more powerful, as Cary already stated, from a domain administrative> stand point. ...
(microsoft.public.win2000.active_directory)
Re: How to change domain administrator to limited/restricted user?
... If it's "a" domain administrator, then remove the user from the ... If your users are members of the "Domain Admins" group then you have a big ... local workstation administrators group. ...
(microsoft.public.windows.server.sbs)
Re: full sharing between domain admins
... mentions a determined domain administrator ultimately has ways to gain ... themselves back in local administrators group for instance. ... > to the adminsitrative share of other domain admins, ... > by adding the other domain admin accounts to the "deny ...
(microsoft.public.win2000.security)
Re: Windows Service - Event Log
... I didn't say the Administrator account. ... Administrators group on the local machine." ... I didn't advocate using a member of the Administrator's group; ...
(microsoft.public.dotnet.languages.csharp)
Re: Restriction
... Only a user that is also in the local administrators group ... can manage membership in the local administrators group. ... 'change my account type' and make themselves administrator. ... My question is, as administrator, how do you change the limited account ...
(microsoft.public.windowsxp.security_admin)