locked
Need a local logon for a RODC at Branch without admin rights RRS feed

  • Question

  • I am setting up a new RODC in a Windows 2003 Forest with one domain.  There is one domain controller running Win Server 2008 R2 at the Win Server 2003 functional level in the domain and 11 Win 2003 domain controllers at various branches.  I intend to replace the branch domain controllers with win 2008 R2 servers as RODC.  I am setting up the first Win Server 2008 R2 as a RODC at a branch site.  I have an application that needs someone logged onto the server in order to function.  I would like to give the branch a logon to use which would not have administrative rights to the server.  Can this be done?
    William Huffman
    Wednesday, July 6, 2011 6:46 PM

Answers

  • Hi,

     

    You can consider using Administrator Role Separation Configuration. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain.

     

    For more information, please refer to:

     

    Administrator Role Separation Configuration

    http://technet.microsoft.com/en-us/library/cc732301(WS.10).aspx

     

    AD DS: Read-Only Domain Controllers

    http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx

     

    Hope this helps.

     

    Regards,

     

    Bruce

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Bruce-Liu Monday, July 11, 2011 4:06 PM
    Friday, July 8, 2011 9:41 AM

All replies

  • Hi,

     

    You can consider using Administrator Role Separation Configuration. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain.

     

    For more information, please refer to:

     

    Administrator Role Separation Configuration

    http://technet.microsoft.com/en-us/library/cc732301(WS.10).aspx

     

    AD DS: Read-Only Domain Controllers

    http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx

     

    Hope this helps.

     

    Regards,

     

    Bruce

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Bruce-Liu Monday, July 11, 2011 4:06 PM
    Friday, July 8, 2011 9:41 AM
  • Yes it can be done.

    You have to use a command DSMGMT .It will give you the prompt of this command. Now run a sub command LOCAL ROLES and specify roles you want. To the switches you can try"?" sign.Syntax to add a user for certain role will be <domain name>\<user name> <Role>


    This concept is called Administrator Role Seperation Configuration.

    • Proposed as answer by vinit pandey Tuesday, July 12, 2011 5:35 AM
    Tuesday, July 12, 2011 5:30 AM