Re: Local admin user rights on remote DC

From: Colin Nash [MVP] (x_at_x)
Date: 10/15/04 

Date: Thu, 14 Oct 2004 20:36:56 -0400

"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:%23A$y$lUsEHA.3788@TK2MSFTNGP15.phx.gbl...
> Unfortunate there is no power user local equivalent on domain controllers.
> Your options are delegation, privileged group membership [server
> operators, etc], or user rights assignments. What may work is if you
> create a sub Organizational Unit for each site in the domain controller
> container. Then create a global group for each site that includes your
> site administrators. Then create a GPO for each sub OU and configure the
> user rights for deny logon locally, deny access this computer from the
> network, and deny logon through Remote Desktop [if available] to include
> the global groups from the other sites for the site administrators. Then
> move the domain controllers into the sub OU for each site. You would not
> have to configure any other settings for the GPO's for the sites and they
> will still inherit the Domain Security Policy settings except for what you
> define in each sub OU. Do NOT remove domain controllers out from the
> domain controller container structure, but sub Organizational Units of the
> domain controller container should work fine. If you are interested, try
> testing with one site first to see if users in the server operators, etc
> groups from another site are prevented from managing restricted domain
> controllers through Computer Management, Remote Dektop, command line,
> tc. --- Steve
>
>

If you block the other admins from accessing the other DCs over the network,
would this cause problems if they need to log on and the DCs at their own
sites are down for some reason?

Relevant Pages

  • Re: ptwilliams?
    ... > Any chance you can get someone to log onto the console at the other site ... > I'm wondering if this might be a User Rights Assignment issue similar to ... > domain controllers etc? ... >> password I tried to reset was a DC at a remote location. ...
    (microsoft.public.win2000.active_directory)
  • Re: Access Denied on Event Logs
    ... How to Reset User Rights in the Default Domain Controllers Group Policy ... Before I started I went exported the User Rights Assignments (in Default ... > I am having the same issue, when upgrading a Windows 2000 DC to Windows ...
    (microsoft.public.windows.server.active_directory)
  • Re: ptwilliams?
    ... Does PC Anywhere operate over RDP also? ... I haven't made any user rights change since the DC has been up and running. ... > domain controllers etc? ... >> password I tried to reset was a DC at a remote location. ...
    (microsoft.public.win2000.active_directory)
  • Default Domain Controllers Group Policy
    ... By mistake an domain administrator deleted the Default Domain Controllers ... another domain the GP original and I found that we lose all the "User Rights ... Prev by Date: ...
    (microsoft.public.win2000.active_directory)
  • Re: GP to force Daily Restart
    ... The Security System could not establish a secured connection with the server ldap/DC01.corp.com/corp.com@xxxxxxxxx No authentication protocol was available. ... The network path was not found. ... domain controllers log these events every five minutes. ... every computer on the network must use DNS servers that can resolve SRV ...
    (microsoft.public.windows.server.sbs)