Server Access Rights

Tutorials Win: Microsoft Windows Forum

When I have a "member" server, I create a group in AD for admining the
server. I then put this group in the server's local Admin Group. This
works fine.

However, how do I do this for a server that is one of my domain
controllers? They don't have local account & groups?

Obviously, this is not an issue for (as the domain admin), but it is an
issue if I want to have someone have admin rights for just a specific
server.


Any help would be appreciated.
Top

RE: Server Access Rights by jwd

jwd
Wed Jun 18 05:02:02 PDT 2008


Only Domain Admins can be administers of servers which are Domain
Controllers. Makes sense when you think about it - why would you want
someone you don't trust enough to be a Domain Admin changing things on your
Domain Controllers.

Best Regards
Joe Dunn MCSE


"Bruce Currier" wrote:

> When I have a "member" server, I create a group in AD for admining the
> server. I then put this group in the server's local Admin Group. This
> works fine.
>
> However, how do I do this for a server that is one of my domain
> controllers? They don't have local account & groups?
>
> Obviously, this is not an issue for (as the domain admin), but it is an
> issue if I want to have someone have admin rights for just a specific
> server.
>
>
> Any help would be appreciated.
>
>
>
Top

Re: Server Access Rights by Paul

Paul
Wed Jun 18 05:46:55 PDT 2008

This is a bad idea for 2003 and before dc's, since this privilege will be
applied to all dc's in the domain. With Windows 2008 you can create RO dc's
that allow you to delegate non-admins elevated privileges on a particular dc
w/o it impacting the entire domain's dc's.



--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Bruce Currier" <bacurrier@sealinfo.com> wrote in message
news:OzqASlT0IHA.4004@TK2MSFTNGP03.phx.gbl...
> When I have a "member" server, I create a group in AD for admining the
> server. I then put this group in the server's local Admin Group. This
> works fine.
>
> However, how do I do this for a server that is one of my domain
> controllers? They don't have local account & groups?
>
> Obviously, this is not an issue for (as the domain admin), but it is an
> issue if I want to have someone have admin rights for just a specific
> server.
>
>
> Any help would be appreciated.
>


Top

Re: Server Access Rights by Jorge

Jorge
Wed Jun 18 12:40:44 PDT 2008

for DCs you don't. If you make someone admin on ONE DC, their admin on ALL
DCs in the same domain and not that far from in the forest

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Bruce Currier" <bacurrier@sealinfo.com> wrote in message
news:OzqASlT0IHA.4004@TK2MSFTNGP03.phx.gbl...
> When I have a "member" server, I create a group in AD for admining the
> server. I then put this group in the server's local Admin Group. This
> works fine.
>
> However, how do I do this for a server that is one of my domain
> controllers? They don't have local account & groups?
>
> Obviously, this is not an issue for (as the domain admin), but it is an
> issue if I want to have someone have admin rights for just a specific
> server.
>
>
> Any help would be appreciated.
>

Top

Re: Server Access Rights by Bruce

Bruce
Thu Jun 19 05:26:31 PDT 2008

Thanks for the replies. I was afraid that was the answer, but I had to ask.
This just means we have to look at what applications/services we put on our
DC's a little bit more carefully.


"Bruce Currier" <bacurrier@sealinfo.com> wrote in message
news:OzqASlT0IHA.4004@TK2MSFTNGP03.phx.gbl...
> When I have a "member" server, I create a group in AD for admining the
> server. I then put this group in the server's local Admin Group. This
> works fine.
>
> However, how do I do this for a server that is one of my domain
> controllers? They don't have local account & groups?
>
> Obviously, this is not an issue for (as the domain admin), but it is an
> issue if I want to have someone have admin rights for just a specific
> server.
>
>
> Any help would be appreciated.
>


Top