Local admin rights on a domain controller?

[William H. Hiatt III]

We are in the process of designing and piloting Active Directory. We have
over 100+ remote offices, each one will receive a server that will be there
local domain controller as well as file and print server.

Here is my problem. I need to give certain groups local admin rights on
their respective server in each office. However, I do NOT want them to have
domain admin rights.

Unfortunately, I don't know a single way of doing this, and was hoping you
might be able to help. Any thoughts?


Thank You


William

 

[Charlie]

Sabin -
I started to reply to this the same way - with Restricted
Groups in mind. I then re-read his post and noticed that
he is talking about domain controllers only.
William -
If you simply place those users in the Administrators
Group (domain local group) as opposed to Domain Admins
(global group), they do not have administrator rights on
anything other than the DCs.
You say that you need to give certain "groups" rights.
If you mean that the respective users are already in
groups, you can just add those groups to the
Administrators Group, rather than adding individual
users, as long as they're global groups.
If you only have one domain and want those users to have
admin rights only on the DCs in their offices, you're out
of luck. If that's the case, rethink exactly what tasks
you want those users to perform and consider Server
Operators, Print Operators, Account Operators. Or create
your own group and customize it to give it certain rights
using the Domain Controllers OU Group Policy.

 

[Oli Restorick [MVP]]

Sabin -- looks like you're posting the URL of an internal server...