|
Posted by Roger Abell [MVP] on August 19, 2008, 11:06 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Brodieman wrote:
>> I have a requirement to be able to let certain sets of
>> administrators the ability to login to domain controllers with
>> out permissions over the whole domain.
>>
>> Althought I can give the users PowerUser or LocalLogon rights via
>> making a domain security group a member of the PowerUser or
>> LocalLogon group there does not appear to be a local admin group
>> on DCs.
>>
>> Can you with Server 2003 give a user just local admin to a DC
>> without DA rights???
>
> S. Pidgorny <MVP> wrote:
>> No. You can grant permission to log on locally (group policy -
>> user righs assignments) and via remote desktop, and other rights
>> and permissions, but there's no such thing as local administrators
>> on DCs.
>
> Brodieman wrote:
>> Thanks you for that, i guess that might be the case.
>
>
> No need for guessing.
> Domain Controllers do not have local accounts.
>
>
http://windowsitpro.com/article/articleid/76765/jsi-tip-5461-what-happens-to-the-local-user-accounts-when-i-promote-a-server-to-a-domain-controller.html
>
>
http://techrepublic.com.com/5208-7343-0.html?forumID=102&threadID=268861&start=0
>
> Good luck!
>
> --
> Shenan Stanley
> MS-MVP
> --
While that is true, that there is no local SAM of account during normal
DC operations, the requirement poster stated, to allow them to be
admins on the DCs without being admins over active directory is
satisfied by the Administrators group of the domain. Accounts in
that group are pretty much just domain users that also have admin
(i.e. server admin) rights when logged into a DC. They do not have
extra permissions in AD or on joined machines.
Roger
| 
XML site map