Domain Controller Administration

B

Brian Rosario

We have domain controllers that are also application
servers at our branch locations. Currently we have too
many domain administrators because application support
people need admin priviledges to support the
applicaitons. We have set up the applicaiton support
people as local admins on member servers but now I need
to do something on the domain controllers. Is there some
sort of role I can give the application support people on
the domain controllers so they don't have to be domain
admins. We are a W2K shop with AD. Somebody please help.
 
M

Miha Pihler

Hi Brian,

What kind of access do they need? Local logon or Terminal Services Access?
Domain Controller policy can be configured in a way that "normal" users can
logon either locally or using Terminal Services... Still you should keep
amount of users that have this rights to the minimum.

Here is what you need to do. Open Domain Controller OU and Edit it's policy.
Drill down under Computer Configuration -> Windows Settings -> Security
Settings -> Local Policy -> User Rights Assignment. Here look for policy
e.g. "Allow logon locally" and double click on the policy. Click on Add
Users and Groups and add a group of users that should have the right to
logon locally to this server.

You either need to wait for new policy to "kick in", force replication of
reboot the CD.

I hope this helps,

Mike
 
B

Brian Rosario

Mike,

Thanks for the information. But will this allow the user
to install, uninstall or update applications without
making them domain admins?

I will keep working on this.

Thanks,
Brian
 
M

Miha Pihler

Hi,

It depends what taks they need to perform on the server. Yes, you can enable
any user to be able to logon to DC even if he/she is not a member of Domain
Administrator group. But from here on, they will be restricted what they are
allowed to do...

Mike
 
S

Steven L Umbach

Only domain admins can install applications, critical updates, change hardware,
reconfigure tcp/ip, etc on domain controllers. Depending on your needs look in Ad
Users and Computers for the built in groups such as account managers and server
operators to see it they can do what you need. Much of Active Directory
administration can be delegated to regular users such as create and manage non
privileged accounts and edit Group Policy. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Split AD and Server Administration 2
Domain Rights 1
VPN server without domain controller 0
Should this work? - Folder permissions 1
"enterprise admins" member of local domain administrators ?! 2
Local Power Users Group 3
User Authentication on Domain Controllers 1
Group Policy Problem 1

Top