Grant Administrative Access to a Domain Controller

O'Reilly

Hacks

Sign In/My Account | View Cart

Search

• List of Titles

• Got a Hack?

• Suggestion Box

Resource Centers

Enterprise Development

Game Development

Software Development

SysAdmin/Networking

Book Series

Developer's Notebooks

Missing Manuals

Pocket References

Personal Trainer

Technology & Society

Publishing Partners

No Starch Press

Paraglyph Press

Pragmatic Bookshelf

Syngress Publishing

Online Publications

LinuxDevCenter.com

MacDevCenter.com

WebServices.XML.com

WindowsDevCenter.com

Special Interest

From the Editors List

tim.oreilly.com

Special Sales

Corporate Services

Inside O'Reilly

Register Your Book

Writing for O'Reilly

Buy the book!

Windows Server Hacks

By Mitch Tulloch
March 2004
More Info

HACK
#74

Grant Administrative Access to a Domain Controller
Here's a hack that will help you secure any domain controllers you have running at a remote site
[Discuss (8) | Link to this hack]

Active Directory has introduced many new levels of complexity to server and security management. For example, if you would like to grant a remote site administrator the rights to install software or services on a domain controller, that person would have to be a domain administrator. Granting that person domain administrator rights introduces the possibility of that user creating new accounts with administrative rights. Obviously, this is not an ideal situation.

The following steps show how to grant a user the same level of rights as an administrator of a member server or a workstation on a domain controller, while preventing that user from having rights to Active Directory.

WARNING

Please note that this hack does not eliminate all possible security risks, and the users who are granted these rights need to be highly trusted

Log onto a domain controller with full domain administrator rights. Make sure your Active Directory domain is in native mode.
Inside of Active Directory Users and Computers, create a global security group called DCAdmins. Add all users/groups that will need administrative access to the domain controllers to this group.
Create another global security group called DenyDCAdmins.
Add the DCAdmins group to the DenyDCAdmins group.
Inside of Active Directory Users and Computers, right-click on the domain name and choose Properties. Click on the Security tab (if the Security tab is not available, go to the View menu and choose Advanced).

Figure 1. Denying Full Control permission for the DenyDCAdmins global group

Now, all users or groups that are members of the DCAdmins group have full administrative access to all domain controllers but do not have any access to Active Directory.

TIP

These users won't even be able to browse Active Directory to apply permissions on shares or files. It is generally a best practice for these users to have two accounts: one for administering the domain controllers and another for day-to-day use.

Overall, this is a great approach to limit security for remote administrators and operations teams that need to be able to make changes on domain controllers. I highly recommend trying this approach before blanketing your Active Directory environment with unnecessary domain administrators.

—Tim Mintner

Comments on this hack

Main Topics

Newest First

Showing messages 1 through 4 of 4.

where the DCAdmins get their permission?
2004-12-29 07:32:18 nt-admin [View]

it seems that a step is missing,
where the DCAdmins actually get any rights?

Same issue
2005-09-14 11:18:41 fbm3862 [View]

We have used this process on a Windows 2000 domain ,but have found that after upgrading to 2003 that this process no longer works.

any ideas?

Any updates?
2005-10-13 11:15:23 CB-GEO [View]

Tim, I am wondering if you were able to figure out how to do this with Windows 2003 server yet?

This hack is a joke
2005-10-15 16:11:42 Joe Richards | [View]

This hack shows a serious misunderstanding of Active Directory and Windows and Active Directory Security.

It wouldn't effectively slow down anyone but those with the same level of understanding of AD Security and that is hoping they aren't running a program that has more understanding.

No security is offered with this hack. Anyone you do this for should be someone you would trust with Enterprise Admin rights because they could quite easily get them. The whole statement of "Please note that this hack does not eliminate all possible security risks, and the users who are granted these rights need to be highly trusted" makes no sense. If you trusted someone you would just give them the admin rights in the first place. There is NO WAY to effectively lock down a DC so someone can manage it other than DAs at the present time. Longhorn server in 2007 will make available a new option called Read-Only DC that will allow making someone else be admin of the local box without any access to AD but only on RO-DCs.

Joe Richards
www.joeware.net
Author - O'Reilly Active Directory Third Edition

Showing messages 1 through 4 of 4.

O'Reilly Home | Privacy Policy

© 2007 O'Reilly Media, Inc.
Website: | Customer Service: | Book issues:

All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners.