nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Groups with login rights on DC?

Pash

Which groups can login to the domain controller by default?

I have 4 accounts that i need to use purely for domain user administration, so I understand that the account opperators group is the group for this. But can they logon if the only server in the AD is the dc?

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

sprkymrk

Just install the adminpak.exe on their workstation. No need to allow login directly to the server.

Mishra

This sounds like a question you could have tested yourself. Is there a reason why you didn't try it?

Ahriakin

Install the Adminpak as Sprkymrk stated and then use delegation to grant User account manipulation rights as needed to the users for the OUs they need to work with. MUCH more secure.

Pash

This server sit's on a DMZ, therefore local login options is our only solution. The reason I havent tried this is because i dont want to mess with the gpo yet.

Mishra

Pash wrote:

This server sit's on a DMZ, therefore local login options is our only solution. The reason I havent tried this is because i dont want to mess with the gpo yet.

I'm not sure where GPO would hold you back. You should just create a test account, put them in the account operators group, then try to login locally. If not then I know the server operators group will work for local login.

You should be able to give it a try with no problem.

sprkymrk

Pash wrote:

This server sit's on a DMZ, therefore local login options is our only solution.

Your only DC sits in a DMZ? Do you know why? That sounds pretty unusual....

RTmarc

DC on a DMZ = major security risk...just an FYI.

Also, no local logins on a Domain Controller.

Ahriakin

Pash wrote:

This server sit's on a DMZ, therefore local login options is our only solution. The reason I havent tried this is because i dont want to mess with the gpo yet.

As mentioned earlier (again, yes I know I'm regurgitating parts of other posts, just trying to be complete

) being on a DMZ shouldn't be a problem, exempting the filters on the firewall controlling the security zones blocking access.

royal

In most cases a DC in a DMZ is a bad idea. There are cases where you have a separate AD domain in your DMZ to control servers through GPO and other functions. This is less of a security concern if it's still isolated from your internal network. If your corporate DC which serves your corporate clients is on your DMZ, like the others stated, this is a major security issue.

Pash

Haha, yes if it was a DC bearing AD for normal reasons yes it would be a bad idea. But its just effectvively a RADIUS server with AD installed to manage user accounts for a wireless LAN (it authenticates with a juniper firewall).

Yes we could easily manage traffic policies to allow access to the server. Infact we do currently for deployment remotely from our office (over vpn). However, the administration will be done by the end customer. And its under their own requests that we don't allow network traffic from any network to the server. So we are going to either use an ip kvm switch with a pc located at their helpdesk area in the building (which is pretty secure), or only allow console login in the comms room itself (fort knocks)....although nothing can stop the angry employee with a bee up his/her bonet...but yeh.

Im onsite tommorow, im gonna play properly with the group settings, i think i know which groups are given rights by default. But ill just get my desired effect tommorow and then hand it over to the customer to destroy this week

Cheers for your response though.

Pash

The solution we presented to the customer may not be the best but we deployed it as follows:

Juniper firewall ssg5 series

HP DLXX server with no RAID.

Win2003 server + Active Directory + IAS RADIUS

Policy on RADIUS to talk only to juniper firewall as client (server on a DMZ)

Cat5 KVM switch patched to customers helpdesk area, no network connectivity here so no RDP, just a direct console link. Account operators group as suggested above (thanks Mishra) is used for the customer administrators.

We still need to provide remote support for this wlan auth server, so having it on a DMZ with correctly configured firewall policies and a RADIUS policy that ONLY talks to the firewall I would of thought is as secure as you can get. Correct me if I am wrong.

*Future Improvements*

Captive Portal - Much easier for administration.

Btw I don't wanna seem like I think I know a super huge amount about these subjects...I need a lot more practice. Im always all ears to suggestions so please if you have any blurt them out anytime