Click here to get back home

Want to make an Admin for only one Domain Controller
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Want to make an Admin for only one Domain Controller OscarVogel 04-07-2006
Get Chitika Premium
Posted by Roger Abell [MVP] on April 8, 2006, 1:26 am
Please log in for more thread options
 demote it

--
Roger Abell
Microsoft MVP (Windows Server : Security)

> We have 4 DCs. I want to give full administrative privileges to a user,
> but only for that one DC. On all other servers I want him to be treated as
> a standard Domain User.
>
> How do I do that? Is it possible?
>
> If it's NOT possible (or simple enough) I intend to demote that DC and
> then make him a local admin.
>
> Thanks!
>



Posted by OscarVogel on April 8, 2006, 10:27 am
Please log in for more thread options
 Thanks for the help.

I'd LIKE to try creating a child OU within the Domain Controllers OU,
and moving the DC into that, just to see if it would work.

But I it's not a good time to experiment, so I demoted it.

Thanks again!


> We have 4 DCs. I want to give full administrative privileges to a user,
> but only for that one DC. On all other servers I want him to be treated as
> a standard Domain User.
>
> How do I do that? Is it possible?
>
> If it's NOT possible (or simple enough) I intend to demote that DC and
> then make him a local admin.
>
> Thanks!
>



Posted by Steven L Umbach on April 8, 2006, 1:15 pm
Please log in for more thread options
That would not work for what you want as it would not mitigate any threat of
the user having administrator powers over the whole domain and all domain
controllers. You can not delegate for instance the ability of a user to
install software, changed NTFS permissions, edit Local Security
Policy/import security templates, or add hardware to a domain controller.
Delegation is used to give non administrators the ability to manage most
Active Directory functions such as edit Group Policy and create/manage non
privileged users and computer accounts. --- Steve


> Thanks for the help.
>
> I'd LIKE to try creating a child OU within the Domain Controllers OU,
> and moving the DC into that, just to see if it would work.
>
> But I it's not a good time to experiment, so I demoted it.
>
> Thanks again!
>
>
>> We have 4 DCs. I want to give full administrative privileges to a user,
>> but only for that one DC. On all other servers I want him to be treated
>> as a standard Domain User.
>>
>> How do I do that? Is it possible?
>>
>> If it's NOT possible (or simple enough) I intend to demote that DC and
>> then make him a local admin.
>>
>> Thanks!
>>
>
>



Posted by Joe Richards [MVP] on April 9, 2006, 8:09 pm
Please log in for more thread options
Demote the server. Anything you try to do can be defeated.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



OscarVogel wrote:
> We have 4 DCs. I want to give full administrative privileges to a user, but
> only for that one DC. On all other servers I want him to be treated as a
> standard Domain User.
>
> How do I do that? Is it possible?
>
> If it's NOT possible (or simple enough) I intend to demote that DC and then
> make him a local admin.
>
> Thanks!
>
>

Similar ThreadsPosted
Domain Controller That Service a DMZ October 29, 2005, 9:58 pm
Domain Controller Security January 13, 2006, 4:43 pm
Domain Controller Security Policy August 12, 2005, 4:31 pm
Client and Domain controller across a firewall March 31, 2008, 5:32 am
2003 Domain Controller not requesting certificate May 31, 2006, 2:53 pm
Windows 2003 Domain Controller (Open Port 593) December 18, 2006, 4:48 pm
2003 Domain Controller event id when an account is locked ? January 3, 2007, 4:16 am
Domain Controller Certificates and moving to a new server or removing them? April 23, 2007, 2:42 pm
How to Create Restricted User at the Win2K3 DOMAIN Controller August 14, 2007, 2:00 am
Normal user logging onto Win2003 Domain Controller? December 3, 2007, 7:03 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap