Administer Rights for a Domain Controller without full Domian Admin Rights

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I would like to grant an outside contractor admin rights
(to install programs, backup, and edit the registry) on a
domain controller without granting them access to any of
the other domain controllers, or the domain workstations.
I tried to give them rights to log on locally and full
control over the c: share on the specific server but they
still complain they can't import to the registry and
install things. Any ideas are greatly appreciated.

Thanks in advance,
Doug
 
I think you're in the wrong group here, but anyway. Domain controllers share
their security database with all user and group settings among all domain
controllers in the domain. If you need to be an administrator on one domain
controller you will be administrator on all domain controllers and all
domain settings. To do this the user must be a member of the Administrators
group.

This is not the same as being a Domain Admin. Domain Admins are
administrators on the domain controllers and all other computers of the
domain. If you can live with the fact that this user has all the privileges
on the other domain controllers and the domain itself but not on other
servers or workstations you can make him a member of the administrators
group. Keep in mind that in that case the user has enough rights to make
himself Domain Admin...

You can also try to make the user a member of the server operators group,
but than again this will apply to all domain controllers. Otherwise you'll
have to find out all rights that the user needs and change the rights on the
resource level (registry, files, folders)
 
Back
Top