Log on Locally

[Guest]

On a Domain Controller, there are no local users or groups. We have a DC in
a remote site, so there is a person there who needs to be able to manage the
hardware, i.e. put the system on a KVM. In this case the individual needs to
reboot the system, but he is not a domain admin. How do I enable him to log
on to the system to shut it down gracefully without making him a domain admin?

 

[rickiez]

You could edit the local system policy of the DC using gpedit.msc and
grant him the individual rights to log on locally and restart.

 

[Guest]

You could edit the local system policy of the DC using gpedit.msc and
grant him the individual rights to log on locally and restart.

Or simply add him to Server operators group which is design for such task.

 

[Guest]

The problem with adding to the log on locally portion of the default domain
controllers policy is he'll have this right on all domain controllers. You
could create an OU under the Domain Controllers OU, move the target DC there,
create a policy on that new OU and configure just the settings you need to
apply to that one DC. Be sure to copy the settings in the Default Domain
Controller Pollcy and add that user as well. This way this user will just
have the rights you designate to that one DC and it won't affect what
Administrators, Domain Admins or Server Operators.

Joe Wilson