none
Logging onto Domain Controllers as a Non Domain Admin RRS feed

  • Question

  • Is it possible to give a user access to log into a Domain Controller and administer a file share on the DC without making them a member of domain admins?

    I know its not a security best practise to have a DC act as a file server also but budget contstraints have not allowe me to seperate the DC and File Share functions onto 2 seperate servers.

    Now i'd like to give an IT admin rights to log onto the DC but not make changes to the DC or and AD components (sites & services, dns etc.).

    Has anyone come across this type of requirement before?

    I've tinkered around with the Default Domain Controllers Policy and giving the user account rights to log into the DC using TS but this has not worked.

    thanks in advance to anyone that replies.


    pajoryan123
    Thursday, March 18, 2010 12:11 PM

Answers

  • Hi,

    Allowing the user to logon is the first step. To administer a shared folder, you should also give the user the NTFS permission of the shared folder. Add the user in the Security tab, give it Full Control permission or other permissions.

    To change AD settings, open ADUC, right-click AD object, choose Properties, switch to Security tab, you can configure permission like configuring NTFS.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, March 23, 2010 9:35 AM
    Moderator

All replies

  • Hi,

    Allowing the user to logon is the first step. To administer a shared folder, you should also give the user the NTFS permission of the shared folder. Add the user in the Security tab, give it Full Control permission or other permissions.

    To change AD settings, open ADUC, right-click AD object, choose Properties, switch to Security tab, you can configure permission like configuring NTFS.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, March 23, 2010 9:35 AM
    Moderator
  • We have been battling the same type of thing. A vendor needs to monitor a DC of ours and needs to be able to log in.  We have granted the following: Allow log on locally, act as part of operating system, debug programs, profile system performance, replace a process local token, adjust memory quotas. They are also in the terminal svcs group. but they can not log in via RDP or otherwise. Any ideas??
    Wednesday, June 2, 2010 6:39 PM