M
Morten Østergaard
Hi,
We have a small domain with a total of 20 users primarily located in the
main offices here in Denmark. We also have an office in the US where there
are a few users and a few local servers. Between there sites there is a VPN
connection and it is all run as one single domain. There is one DC in
Denmark and a DC in the US as well. The AD is split into two OU and the
local administrator in the US offices has been delegated full rights for his
OU. All this works fine - he can administer user, groups and computers in
his "part" of the domain.
However, I also want the local administrator in the US to have "local
administrator" access over his own DC but without having full administrator
access to the full domain. The reason is that that DC is also handling
file/printer sharing. On pure "member server" there is no problem in giving
him "local administrator access" - we just add his user account, or one of
his groups, to the member server's private "Administrators" group. But the
story is different on the DC - here there are no such private groups.
What I've tried to do is to work with the GPO section "Computer
Configuration\Windows Settings\Security Settings\Local Policies\User Rights
Assignment" and add the user that need access to the local DC to pretty much
all the groups (apart from "Take Ownership"). It gives the user some rights
on the DC - e.g. stopping and starting drivers now works, but other things
like Disk Management and Windows Update is still not possible (Windows
Update complains that the user is not an Administrator!).
What in fact makes up the "local administrator"? Is it just the things in
the above GPO section, or are there other settings in the GPO that need
attention? Are there any other, preferably simpler, way of giving a user or
a group full administrative rights over just a DC? This must be a pretty
normal task, or?
I really hope someone can help me on this matter. I would appreciate any
input
Thanks in advance
Morten Nielsen
We have a small domain with a total of 20 users primarily located in the
main offices here in Denmark. We also have an office in the US where there
are a few users and a few local servers. Between there sites there is a VPN
connection and it is all run as one single domain. There is one DC in
Denmark and a DC in the US as well. The AD is split into two OU and the
local administrator in the US offices has been delegated full rights for his
OU. All this works fine - he can administer user, groups and computers in
his "part" of the domain.
However, I also want the local administrator in the US to have "local
administrator" access over his own DC but without having full administrator
access to the full domain. The reason is that that DC is also handling
file/printer sharing. On pure "member server" there is no problem in giving
him "local administrator access" - we just add his user account, or one of
his groups, to the member server's private "Administrators" group. But the
story is different on the DC - here there are no such private groups.
What I've tried to do is to work with the GPO section "Computer
Configuration\Windows Settings\Security Settings\Local Policies\User Rights
Assignment" and add the user that need access to the local DC to pretty much
all the groups (apart from "Take Ownership"). It gives the user some rights
on the DC - e.g. stopping and starting drivers now works, but other things
like Disk Management and Windows Update is still not possible (Windows
Update complains that the user is not an Administrator!).
What in fact makes up the "local administrator"? Is it just the things in
the above GPO section, or are there other settings in the GPO that need
attention? Are there any other, preferably simpler, way of giving a user or
a group full administrative rights over just a DC? This must be a pretty
normal task, or?
I really hope someone can help me on this matter. I would appreciate any
input
Thanks in advance
Morten Nielsen