none
Superuser on Domain Controller

    Question

  • Hi.
     
    How can allow a user (Domain User?) to log on to a DC, and unlock user accounts?.
     
    I've created a Group called "SuperUsers".
     
    I've added the group Superusers to the Remote Desktop Users, and added the group in the "Allow logon through Terminal Services" option in Local Security Policy - and Delegate Control... by setting the Read/Write lockout properties on user accounts.
     
    But when the users tries to start mmc.exe, the users is asked for Administrator credentials.
     
    I know that you can do it with Remote Desktop Administrative Tools - but it's an assignment, where it has to be done on the Domain Controller.

    • Edited by Kim D. Pedersen Monday, September 23, 2013 5:50 PM Better description
    Saturday, September 21, 2013 3:27 PM

Answers

  • I solved the problem

    I need to create an extra GPO, which overrules the "Default Domain Controllers Policy" - and add the SuperUsers group to the "Allow log on locally" property in Policies -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment.

    Now a normal Domain User can be delegated to job of unlocking users on the domain controller using Remote Desktop.


    Monday, September 23, 2013 5:43 PM

All replies

  • Hi,

    You can use Remote Desktop to Domain Controller via mstsc. Meanwhile, you can add the group to local Administrators group for a test.


    Niki Han
    TechNet Community Support

    Monday, September 23, 2013 9:42 AM
    Moderator
  • Hi,

    If possible I would recommend you have these users log on to a member RDSH server and use Active Directory Users and Computers (part of RSAT) to unlock user accounts instead of having them log on directly to the DC.  If you must have them log on to the DC then you could disable User Account Control and then restart the server.

    -TP

    Monday, September 23, 2013 2:07 PM
    Moderator
  • I solved the problem

    I need to create an extra GPO, which overrules the "Default Domain Controllers Policy" - and add the SuperUsers group to the "Allow log on locally" property in Policies -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment.

    Now a normal Domain User can be delegated to job of unlocking users on the domain controller using Remote Desktop.


    Monday, September 23, 2013 5:43 PM