Domain Controller Administration

  • Thread starter Thread starter Brian Rosario
  • Start date Start date
B

Brian Rosario

We have domain controllers that are also application
servers at our branch locations. Currently we have too
many domain administrators because application support
people need admin priviledges to support the
applicaitons. We have set up the applicaiton support
people as local admins on member servers but now I need
to do something on the domain controllers. Is there some
sort of role I can give the application support people on
the domain controllers so they don't have to be domain
admins. We are a W2K shop with AD. Somebody please help.
 
Hi Brian,

What kind of access do they need? Local logon or Terminal Services Access?
Domain Controller policy can be configured in a way that "normal" users can
logon either locally or using Terminal Services... Still you should keep
amount of users that have this rights to the minimum.

Here is what you need to do. Open Domain Controller OU and Edit it's policy.
Drill down under Computer Configuration -> Windows Settings -> Security
Settings -> Local Policy -> User Rights Assignment. Here look for policy
e.g. "Allow logon locally" and double click on the policy. Click on Add
Users and Groups and add a group of users that should have the right to
logon locally to this server.

You either need to wait for new policy to "kick in", force replication of
reboot the CD.

I hope this helps,

Mike
 
Mike,

Thanks for the information. But will this allow the user
to install, uninstall or update applications without
making them domain admins?

I will keep working on this.

Thanks,
Brian
 
Hi,

It depends what taks they need to perform on the server. Yes, you can enable
any user to be able to logon to DC even if he/she is not a member of Domain
Administrator group. But from here on, they will be restricted what they are
allowed to do...

Mike
 
Only domain admins can install applications, critical updates, change hardware,
reconfigure tcp/ip, etc on domain controllers. Depending on your needs look in Ad
Users and Computers for the built in groups such as account managers and server
operators to see it they can do what you need. Much of Active Directory
administration can be delegated to regular users such as create and manage non
privileged accounts and edit Group Policy. --- Steve
 
Back
Top