Local Admin rights on a domain controller?

[William H. Hiatt III]

We are in the process of designing and piloting Active Directory. We have
over 100+ remote offices, each one will receive a server that will be there
local domain controller as well as file and print server.

Here is my problem. I need to give certain groups local admin rights on
their respective server in each office. However, I do NOT want them to have
domain admin rights.

Unfortunately, I don't know a single way of doing this, and was hoping you
might be able to help. Any thoughts?


Thank You


William

 

[Joe Richards [MVP]]

You really can't segregate it that way. Why do you need to give local access to the DC's? We have some 375-400 DC's out
in the field and all of the admins for the DC's are located in a centralized location back in the States. No one outside
that group has rights on the DC's. Anything else will allow a local person to cause domain wide issues.

 

[Eric Fleischman [MSFT]]

I posted a reply to this on another group. Check out what I said there.

~Eric


--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights.

You really can't segregate it that way. Why do you need to give local

access to the DC's? We have some 375-400 DC's out

in the field and all of the admins for the DC's are located in a

centralized location back in the States. No one outside

 

[Joe Richards [MVP]]

Can you give me a hint to the group? ;oP

--
Joe Richards
www.joeware.net

--

I posted a reply to this on another group. Check out what I said there.

~Eric


--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights.

You really can't segregate it that way. Why do you need to give local

access to the DC's? We have some 375-400 DC's out

in the field and all of the admins for the DC's are located in a

centralized location back in the States. No one outside

that group has rights on the DC's. Anything else will allow a local person to cause domain wide issues.

 

[Joe Richards [MVP]]

n/m found it. ;o)

--
Joe Richards
www.joeware.net

--

Can you give me a hint to the group? ;oP

--
Joe Richards
www.joeware.net

--

I posted a reply to this on another group. Check out what I said there.

~Eric


--
Eric Fleischman [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights.

You really can't segregate it that way. Why do you need to give local

access to the DC's? We have some 375-400 DC's out

in the field and all of the admins for the DC's are located in a

centralized location back in the States. No one outside

that group has rights on the DC's. Anything else will allow a local person to cause domain wide issues.

--
Joe Richards
www.joeware.net

--

We are in the process of designing and piloting Active Directory. We have
over 100+ remote offices, each one will receive a server that will be there
local domain controller as well as file and print server.

Here is my problem. I need to give certain groups local admin rights on
their respective server in each office. However, I do NOT want them to have
domain admin rights.

Unfortunately, I don't know a single way of doing this, and was hoping you
might be able to help. Any thoughts?


Thank You


William