| What is the best way to allow a user to install software
| etc etc to a domain controller but not adding member of
| domain admins.
| Im member server is just adding the account to local admin
| groups but there is none in DC.
|
| Please advise
|
|
|
Ovvy,
The easiest way is to go into Active Directory Users and Computers. Right
click on the Domain Controllers OU and click on Properties. Then click on
the Group Policy tab. You can either modify the Default Domain Controllers
policy or create a new policy. Microsoft recommends not making
modifications to the Default Domain Controllers policy. Therefore, create a
new policy and name it 'Logon Locally', then edit the policy. Navigate to
Computer Configuration > Windows Settings > Security Settings > Local
Policies > User Rights Assignment. In here you will find a policy that will
allow you to define who has Log on Locally rights. Add the users you want
but also make sure you add Account Operators, Administrators, Backup
Operators, Print Operators, and Server Operators. This will duplicate the
users that are being allowed by the Default Domain Controller Policy.
Chad A. Lacy
Windows 2000 Directory Services
==================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================
This posting is provided "AS IS" with no warranties, and confers no rights.