PDA

View Full Version : Domain Controller Administration

Brian Rosario
We have domain controllers that are also application
servers at our branch locations. Currently we have too
many domain administrators because application support
people need admin priviledges to support the
applicaitons. We have set up the applicaiton support
people as local admins on member servers but now I need
to do something on the domain controllers. Is there some
sort of role I can give the application support people on
the domain controllers so they don't have to be domain
admins. We are a W2K shop with AD. Somebody please help.
Miha Pihler
Hi Brian,

What kind of access do they need? Local logon or Terminal Services Access?
Domain Controller policy can be configured in a way that "normal" users can
logon either locally or using Terminal Services... Still you should keep
amount of users that have this rights to the minimum.

Here is what you need to do. Open Domain Controller OU and Edit it's policy.
Drill down under Computer Configuration -> Windows Settings -> Security
Settings -> Local Policy -> User Rights Assignment. Here look for policy
e.g. "Allow logon locally" and double click on the policy. Click on Add
Users and Groups and add a group of users that should have the right to
logon locally to this server.

You either need to wait for new policy to "kick in", force replication of
reboot the CD.

I hope this helps,

Mike

"Brian Rosario" wrote in message
news:14c301c499a1$6f083610$a401280a@phx.gbl...
> We have domain controllers that are also application
> servers at our branch locations. Currently we have too
> many domain administrators because application support
> people need admin priviledges to support the
> applicaitons. We have set up the applicaiton support
> people as local admins on member servers but now I need
> to do something on the domain controllers. Is there some
> sort of role I can give the application support people on
> the domain controllers so they don't have to be domain
> admins. We are a W2K shop with AD. Somebody please help.


Brian Rosario
Mike,

Thanks for the information. But will this allow the user
to install, uninstall or update applications without
making them domain admins?

I will keep working on this.

Thanks,
Brian
>-----Original Message-----
>Hi Brian,
>
>What kind of access do they need? Local logon or
Terminal Services Access?
>Domain Controller policy can be configured in a way
that "normal" users can
>logon either locally or using Terminal Services... Still
you should keep
>amount of users that have this rights to the minimum.
>
>Here is what you need to do. Open Domain Controller OU
and Edit it's policy.
>Drill down under Computer Configuration -> Windows
Settings -> Security
>Settings -> Local Policy -> User Rights Assignment. Here
look for policy
>e.g. "Allow logon locally" and double click on the
policy. Click on Add
>Users and Groups and add a group of users that should
have the right to
>logon locally to this server.
>
>You either need to wait for new policy to "kick in",
force replication of
>reboot the CD.
>
>I hope this helps,
>
>Mike
>
>"Brian Rosario" wrote in
message
>news:14c301c499a1$6f083610$a401280a@phx.gbl...
>> We have domain controllers that are also application
>> servers at our branch locations. Currently we have too
>> many domain administrators because application support
>> people need admin priviledges to support the
>> applicaitons. We have set up the applicaiton support
>> people as local admins on member servers but now I need
>> to do something on the domain controllers. Is there
some
>> sort of role I can give the application support people
on
>> the domain controllers so they don't have to be domain
>> admins. We are a W2K shop with AD. Somebody please
help.
>
>
>.
>
Miha Pihler
Hi,

It depends what taks they need to perform on the server. Yes, you can enable
any user to be able to logon to DC even if he/she is not a member of Domain
Administrator group. But from here on, they will be restricted what they are
allowed to do...

Mike

"Brian Rosario" wrote in message
news:152e01c499b9$4ae83d30$a501280a@phx.gbl...
> Mike,
>
> Thanks for the information. But will this allow the user
> to install, uninstall or update applications without
> making them domain admins?
>
> I will keep working on this.
>
> Thanks,
> Brian
> >-----Original Message-----
> >Hi Brian,
> >
> >What kind of access do they need? Local logon or
> Terminal Services Access?
> >Domain Controller policy can be configured in a way
> that "normal" users can
> >logon either locally or using Terminal Services... Still
> you should keep
> >amount of users that have this rights to the minimum.
> >
> >Here is what you need to do. Open Domain Controller OU
> and Edit it's policy.
> >Drill down under Computer Configuration -> Windows
> Settings -> Security
> >Settings -> Local Policy -> User Rights Assignment. Here
> look for policy
> >e.g. "Allow logon locally" and double click on the
> policy. Click on Add
> >Users and Groups and add a group of users that should
> have the right to
> >logon locally to this server.
> >
> >You either need to wait for new policy to "kick in",
> force replication of
> >reboot the CD.
> >
> >I hope this helps,
> >
> >Mike
> >
> >"Brian Rosario" wrote in
> message
> >news:14c301c499a1$6f083610$a401280a@phx.gbl...
> >> We have domain controllers that are also application
> >> servers at our branch locations. Currently we have too
> >> many domain administrators because application support
> >> people need admin priviledges to support the
> >> applicaitons. We have set up the applicaiton support
> >> people as local admins on member servers but now I need
> >> to do something on the domain controllers. Is there
> some
> >> sort of role I can give the application support people
> on
> >> the domain controllers so they don't have to be domain
> >> admins. We are a W2K shop with AD. Somebody please
> help.
> >
> >
> >.
> >


Steven L Umbach
Only domain admins can install applications, critical updates, change hardware,
reconfigure tcp/ip, etc on domain controllers. Depending on your needs look in Ad
Users and Computers for the built in groups such as account managers and server
operators to see it they can do what you need. Much of Active Directory
administration can be delegated to regular users such as create and manage non
privileged accounts and edit Group Policy. --- Steve


"Brian Rosario" wrote in message
news:14c301c499a1$6f083610$a401280a@phx.gbl...
> We have domain controllers that are also application
> servers at our branch locations. Currently we have too
> many domain administrators because application support
> people need admin priviledges to support the
> applicaitons. We have set up the applicaiton support
> people as local admins on member servers but now I need
> to do something on the domain controllers. Is there some
> sort of role I can give the application support people on
> the domain controllers so they don't have to be domain
> admins. We are a W2K shop with AD. Somebody please help.