Admin rights on a dc without domain adim rights.

Discussion in 'Active Directory' started by x, May 10, 2007.

  1. x

    x Guest

    Anyone one have a clue if you can give a user admin rights to a single
    dc without giving them domain admin or admin rights?

    We have an admin that only needs to run patches, updates, install/remove
    software on a dc, but not have the right to access the other dcs.

    This is all in one domain.
    x, May 10, 2007
  2. x

    Anthony Guest

    Not possible. You need admin rights to install software (mostly) and anyone
    with admin rights on a DC has control of the domain. You have to do it
    Anthony, May 10, 2007
  3. I would highly suggest you don't install any software on your dc, this is
    what member servers are for. Find a member server that is available and
    grant this user local admin rights on this and leave the DC to be just that,
    a DC.

    Once you grant someone Administrator rights on a DC you grant the rights to
    do anything they want, look at any document they want, etc... Find a member
    server and keep the number of users that have domain admin rights down to
    two or three.
    Paul Bergson [MVP-DS], May 10, 2007
  4. No you absolutely cannot do this.

    Some people think you can, those people are dead wrong.

    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---
    Joe Richards [MVP], May 11, 2007
  5. x

    DevilsPGD Guest

    In message <#> "Joe Richards [MVP]"
    You can fake it though (which is far, far worse)
    DevilsPGD, May 11, 2007
