Administer DC at remote site without domain admin rights

Discussion in 'Server Security' started by bitwrangler, Oct 26, 2004.

  1. bitwrangler

    bitwrangler Guest

    I have a server at a remote site that is a domain controller (W2k3
    standard). I would like to give a user the ability to be an admin on
    the local box without being a domain admin. Being that there is no
    local logon now that it's a DC, I think I may be out of luck but
    wondered if anyone had a suggestion?

    Greg
     
    bitwrangler, Oct 26, 2004
    #1
    1. Advertisements

  2. Depending on what you want the user to be able to do you have some options.
    You can delegate authority in Active Directory over an OU or such if you
    want the user to create/manage users, groups, and computer accounts. For
    managing the server you can add the user to privileged accounts such as
    server operator, print operator, network configuration operators, and backup
    operators. There are also a lot of user rights that you can add the user to
    that will allow him to do some tasks such as load and unload device drivers
    and manage auditing and security log. The link below explains the user
    rights on Windows 2003. Note that for domain controllers user rights are
    defined in Domain Controller Security Policy. To prevent a user from having
    user rights on all domain controllers, you would have to create an OU within
    the domain controller container to move that dc into and then create a GPO
    for it to configure the needed user rights. All other Domain Controller
    Security Policy will be inherited by that OU except what you define in the
    GPO for it. Services can also be configured so that additional users can
    start and stop a service. This can be done via Group Policy, through
    Security Configuration and Analysis mmc snapin tool, or with subinacl as
    described in the second link below. I would not recommend using Group Policy
    unless the GPO applies to only that domain controller.

    http://www.microsoft.com/technet/Security/prodtech/win2003/w2003hg/sgch03.mspx#E0EB0AA
    http://support.microsoft.com/?kbid=288129

    Installing updates and applications could be a problem however if you need
    the user to do such. Updates can be installed automatically if the update
    client is configured to install by schedule, however you may not want to do
    that on a domain controller unless you are using Software Update Services
    which gives you the ability to approve updates before they are installed.
    Applications that use an .msi extension can be installed by assignation via
    Group Policy without any user intervention. For those situations when this
    user can not do tasks, you could remote into the domain controller via
    Remote Desktop to perform the tasks. Ipsec filtering policy using filters
    and permit/block filter actions could be used to allow inbound connections
    from ony the IP addresses of authorized computers to minimizing the risk of
    enabling Remote Desktop. --- Steve
     
    Steven L Umbach, Oct 26, 2004
    #2
    1. Advertisements

  3. bitwrangler

    John Gerone Guest

    IMPOSSIIBILE !! on a DC there is NO local account administrator.
     
    John Gerone, Oct 27, 2004
    #3
  4. Steve has provided a number of excellent ideas/pointers.
    You should by all means see whether your scenario(s) can be
    done through those methods.

    If it is necessary that the person must be an admin for the DC
    you can make them a member of the domain\Administrators
    group instead of domain\Domain Admins
    This will limit the person to being an admin (on every DC, not
    just the one you intend) but will not confer the wider scope of
    administrative access that Domain Admins carries.
     
    Roger Abell [MVP], Oct 27, 2004
    #4
  5. bitwrangler

    bitwrangler Guest

    You guys are awsome. That's just what I was looking for.

    Thanks,

    Greg
     
    bitwrangler, Oct 27, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.