Re: Allowing a Domain User Admin Rights to a Couple of Domain Servers

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/30/05 

Date: Thu, 30 Jun 2005 06:19:29 -0700

Matt,

Even on a DC a "full admin" as in member of Administrators is only
pretty much an admin of all DCs, but not of the network in the way
that Domain Admins members are in the default members of each
machine local Administrators group on the members of the domain.

Now, an Administrators member on a DC would have little problem
in making themselves a Domain Admins member but that is a different,
personnel issue. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Matt Gibson" <mattg@blueedgetech.ca> wrote in message
news:OeiKBeSfFHA.3448@TK2MSFTNGP12.phx.gbl...
> Depends if these machines are domain controllers or not.
>
> If they're domain controllers, then you're pretty much out of luck.  A
full
> admin on a DC is basically an admin of the network.
>
> If they're not DCs, then you can just give his user (in AD) only logon
> rights to those two servers.
>
> Matt Gibson - GSEC
>
> <inteltech@gmail.com> wrote in message
> news:1120101232.707852.206150@g47g2000cwa.googlegroups.com...
> > Hello All
> >
> > I am looking for a little assistance...
> >
> > Within our company we have two servers that have a different
> > administrator to the rest of the network.
> >
> > Currently the administrator of these servers uses the domain
> > administrator username/password to perform his admin tasks on the
> > server, but has also been know to use this account for other purposes.
> >
> > So what I would like to do, is provide him with an account that ONLY
> > has administrator rights on this two machines that he requires
> > administrator access too.
> >
> > Something like user account within Windows XP on the domain server
> > would do the trick...  but no!
> >
> > Does anyone have any ideas/advise for this?
> >
> > Thanks in advance
> >
> > David
> >
>
>

Relevant Pages

  • Re: Allowing a Domain User Admin Rights to a Couple of Domain Servers
    ... But that was just my point Matt. ... admin powers on the DCs. ... making the account a member of Adminsitrators does limit it ... >>>> administrator to the rest of the network. ...
    (microsoft.public.windows.server.security)
  • Re: XP client - Admin Rights
    ... and also that you have no way to map the admin shares. ... options find the policy to rename Administrator and rename it to this ... same - using an account name of your choice. ... make sure that Domain Admins is a member of the local Administrators. ...
    (microsoft.public.windows.group_policy)
  • Re: Admin Priveleges Not Working
    ... The Admin account hasn't ... changed - it is the only member of the administrator ... >> domain admin to do any of the admin tasks. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Allowing a Domain User Admin Rights to a Couple of Domain Servers
    ... If they're domain controllers, then you're pretty much out of luck. ... admin on a DC is basically an admin of the network. ... rights to those two servers. ... > administrator to the rest of the network. ...
    (microsoft.public.windows.server.security)
  • Re: DHCP will not Authorize
    ... Is this Administrator also a member of any other groups? ... group) you will be denied access even if you are Enterprise administrator. ... > I have recently upgraded two of our servers in different ...
    (microsoft.public.windows.server.networking)