October 15, 2012

Active Directory - Domain Controller administration

How to grant administrative access to the Domain Controller for non-domain administrator user

First of all you have to deploy Read Only Domain Controller (RODC) to use Administrator Role Separation. Then you can use DSMGMT.exe util to grant any local permission to any domain user.

1. Start elevated command line tool cmd.
2. Type dsmgmt.exe
3. Then enter local roles 
4. You can type list roles to see available local roles on this DC.
5. To add User1 to local administrators group type: add DOMAIN\User1 Administrators

After entering command you have to see next output: Successfully updated local role.      

As result we will have domain user that will be able to manage selected Domain Controller without affecting Active Directory Domain Services.  For example user can log on to the Domain controller, manage drivers, restart server etc. Managing AD will be denied.

No comments:

Post a Comment