local administrator on domain controller?

Hey Again

Ok, i am seeing some things about being made a local administrator on a domain controller. Is this new to 2008? I guess it would kind of make sense to have local groups on DCs since you can stop the AD service, but this still seems odd.

as always, thanks a ton, you guys are awesome

john

Find more posts tagged with

Comments

astorrs

The Administrators group in the Builtin container has always provided this - assuming that's what you meant.

jibbajabba

Even though you can add a user to the local administrator group (which is necessary when installing WDS for example) you cannot login as such ...

On Server 2003 you won't see the local server name in the drop down but only the domain and on server 2008 it always defaults to the domain login .. Even though the help suggests you CAN login using local user :

It will display a wrong username / password message when you trying to do so ...

Although, I don't honestly know if there is a group policy which does allow it ...

dynamik

Server 2003 DCs technically have a local administrator as well, which is used for DSRM. Maybe this just allows you to manage users who can work with DSRM instead of having to use a single account which is managed through ntdsutil. This is just speculation; this is the first I've heard of this ability.

Starke

There are changes in Server 2008, basically you can grant a domain user local administrative rights to an RODC. Here is a snippet from the 2008 AD Resource Kit:

"You can delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a drive. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. In this way, the ability to effectively manage the RODC in a branch office can be delegated to a branch user without compromising the security of the rest of the domain."

dynamik

That makes sense. Unfortunately I haven't had a chance to really play with 2008 yet

Thanks for the info, and welcome to the forums

astorrs

Ah yes, you're refering to the ability to grant local admin rights on only one or the DCs, gotcha. RODC's have some really cool features, I'm really looking forward to playing with them when they are virtualized on WAN optimization branch office appliances from the likes of Riverbed, Cisco WAAS, etc (most of whom have embraced either VMware or Microsoft as a hypervisor to run on the appliances) - now that's going to be cool.

royal

dynamik wrote:

Server 2003 DCs technically have a local administrator as well, which is used for DSRM. Maybe this just allows you to manage users who can work with DSRM instead of having to use a single account which is managed through ntdsutil. This is just speculation; this is the first I've heard of this ability.

Deja Vu.

RobertKaucher

Local administrators is a valid group on a DC. This allows you to grant local administrative access to users and service accounts for the server but does not grant them domain adminisstrative rights. It is incorrect to believe that the SAM database is gone from a DC once it is promoted. If you look in C:\WINDOWS\system32\config on a DC, there it is. The use of local administrators is important for granting rights, expecially to service accounts.

If you run the 'net localgroup administrators' command on a DC you will get output similar to the following:

Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members

Administrator
Domain Admins
Enterprise Admins
SQLSvc
The command completed successfully.

Notice I have a service account for my SQL server running on this test VM as a local admin, but it is not a domain admin. This is the major reason for granting accounts local administrative rights on a server, with the introduction of the RODC in 2008 there is, as mentioned by another poster, the added reason of allowing the user to administer the server. You do not need to be an explicit member of local admins to turn of AD domain services in 2008. The server is still a member of the domain and can verify group membership to domain admins via another DC or via cached credentials. Adding a standard domain user to local admins on a server will also allow them to sign on to the server, but they will still be unable to administer anything in the active directory. At work, my user account is a local admin on our RightFAX server, for example. I can sign on using my standard user account and run the programs I need to administer RightfFAX but in order to start up support tools and access ADUC I still have to use run as and my "super user" account or the domain administrator account. Adding a user account to the server operators group grants them similar rights.

But with that all said try running 'net user UserName P@$$w0rd /add' on a DC and see what happens!