Click here to get back home

Want to make an Admin for only one Domain Controller
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Want to make an Admin for only one Domain Controller OscarVogel 04-07-2006
Posted by OscarVogel on April 7, 2006, 4:42 pm
Please log in for more thread options
 We have 4 DCs. I want to give full administrative privileges to a user, but
only for that one DC. On all other servers I want him to be treated as a
standard Domain User.

How do I do that? Is it possible?

If it's NOT possible (or simple enough) I intend to demote that DC and then
make him a local admin.

Thanks!



Posted by David V on April 7, 2006, 5:35 pm
Please log in for more thread options
 If the DC is in a different site than the others, yes. Open AD Sites and
Services, right-click on the site containing that DC, and select Delegate
Control. This opens the Delegate Control Wizard, which you can complete to
give this user administrative control within that site.
Since the Delegate Control Wizard is only available for AD containers, if
the DC is in the same site as the others, you would have to move the DC to an
OU other than the Domain Controllers OU, which is generally not recommended.
You might want to try creating a child OU within the Domain Controllers OU,
adn moving the DC into that. I'e never actually done that, but it might be
worth a try.

Good Luck!

"OscarVogel" wrote:

> We have 4 DCs. I want to give full administrative privileges to a user, but
> only for that one DC. On all other servers I want him to be treated as a
> standard Domain User.
>
> How do I do that? Is it possible?
>
> If it's NOT possible (or simple enough) I intend to demote that DC and then
> make him a local admin.
>
> Thanks!
>
>
>

Posted by Roger Abell [MVP] on April 8, 2006, 1:25 am
Please log in for more thread options
I am doubting this as a solution.
The poster wants the account to be admin on the one DC.
The only way to be admin is to be admin, which is then that
way for all DCs of the domain, whether via the domain's
Administrators group or the Domain Admins group.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

> If the DC is in a different site than the others, yes. Open AD Sites and
> Services, right-click on the site containing that DC, and select Delegate
> Control. This opens the Delegate Control Wizard, which you can complete
> to
> give this user administrative control within that site.
> Since the Delegate Control Wizard is only available for AD containers, if
> the DC is in the same site as the others, you would have to move the DC to
> an
> OU other than the Domain Controllers OU, which is generally not
> recommended.
> You might want to try creating a child OU within the Domain Controllers
> OU,
> adn moving the DC into that. I'e never actually done that, but it might
> be
> worth a try.
>
> Good Luck!
>
> "OscarVogel" wrote:
>
>> We have 4 DCs. I want to give full administrative privileges to a user,
>> but
>> only for that one DC. On all other servers I want him to be treated as a
>> standard Domain User.
>>
>> How do I do that? Is it possible?
>>
>> If it's NOT possible (or simple enough) I intend to demote that DC and
>> then
>> make him a local admin.
>>
>> Thanks!
>>
>>
>>



Posted by Joe Richards [MVP] on April 9, 2006, 8:08 pm
Please log in for more thread options
No. Absolutely not.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



David V wrote:
> If the DC is in a different site than the others, yes. Open AD Sites and
> Services, right-click on the site containing that DC, and select Delegate
> Control. This opens the Delegate Control Wizard, which you can complete to
> give this user administrative control within that site.
> Since the Delegate Control Wizard is only available for AD containers, if
> the DC is in the same site as the others, you would have to move the DC to an
> OU other than the Domain Controllers OU, which is generally not recommended.
> You might want to try creating a child OU within the Domain Controllers OU,
> adn moving the DC into that. I'e never actually done that, but it might be
> worth a try.
>
> Good Luck!
>
> "OscarVogel" wrote:
>
>> We have 4 DCs. I want to give full administrative privileges to a user, but
>> only for that one DC. On all other servers I want him to be treated as a
>> standard Domain User.
>>
>> How do I do that? Is it possible?
>>
>> If it's NOT possible (or simple enough) I intend to demote that DC and then
>> make him a local admin.
>>
>> Thanks!
>>
>>
>>

Posted by Steven L Umbach on April 7, 2006, 7:10 pm
Please log in for more thread options
That is not possible. About the best you could so is to look at privileged
groups such as server operators and network configuration operators to add
the user to in order to let him to some extra functions but then he would
have those extra powers over all domain controllers. --- Steve


> We have 4 DCs. I want to give full administrative privileges to a user,
> but only for that one DC. On all other servers I want him to be treated as
> a standard Domain User.
>
> How do I do that? Is it possible?
>
> If it's NOT possible (or simple enough) I intend to demote that DC and
> then make him a local admin.
>
> Thanks!
>



Similar ThreadsPosted
Domain Controller That Service a DMZ October 29, 2005, 9:58 pm
Domain Controller Security January 13, 2006, 4:43 pm
Domain Controller Security Policy August 12, 2005, 4:31 pm
Client and Domain controller across a firewall March 31, 2008, 5:32 am
2003 Domain Controller not requesting certificate May 31, 2006, 2:53 pm
Windows 2003 Domain Controller (Open Port 593) December 18, 2006, 4:48 pm
2003 Domain Controller event id when an account is locked ? January 3, 2007, 4:16 am
Domain Controller Certificates and moving to a new server or removing them? April 23, 2007, 2:42 pm
How to Create Restricted User at the Win2K3 DOMAIN Controller August 14, 2007, 2:00 am
Normal user logging onto Win2003 Domain Controller? December 3, 2007, 7:03 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap