locked
Add a domain user to local group RRS feed

  • Question

  • I am trying to follow instructions to setup DPM for the first time according to http://technet.microsoft.com/en-us/library/ff399416.aspx, it is indicated that I need top do the follwoing

    On the primary domain controller, create a domain user account with the lowest possible privileges, assign it a strong password that does not expire, and then add it to the local Administrators group.

    How this can be done as on DC there is no local groups

    Thanks

    Friday, June 4, 2010 2:05 PM

Answers

  • Hello,

    after reading the DPM installation article again, i assume that the RODC local administrator group is meant, according to:

    Administrator role separation

    Administrator role separation specifies that any domain user or security group can be delegated to be the local administrator of an RODC without granting that user or group any rights for the domain or other domain controllers. Accordingly, a delegated administrator can log on to an RODC to perform maintenance work, such as upgrading a driver, on the server. But the delegated administrator is not able to log on to any other domain controller or perform any other administrative task in the domain. In this way, a security group that comprises branch users, rather than members of the Domain Admins group, can be delegated the ability to effectively manage the RODC in the branch office, without compromising the security of the rest of the domain.

    Of course that can be made more clear in the article.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, June 4, 2010 8:42 PM

All replies

  • The reference to the local Administrators group is the "Administrators" group located in the Built-in Container.  This "Administrators" group is a DOMAIN LOCAL group.


    Visit: anITKB.com, an IT Knowledge Base.
    • Proposed as answer by Meinolf Weber Friday, June 4, 2010 7:33 PM
    Friday, June 4, 2010 2:19 PM
  • Thanks. There is something strange then for me, "create a domain user account with the lowest possible privileges", then add it to "Administrators" group, so he will have elevated privilege

    Am I wrong?

    Friday, June 4, 2010 8:12 PM
  • That is a bizzarre statement.  Its in direct conflict with itself...LOL  I have a few contacts at MS.  Forwarded the link to see if it can reach the writer so that it can be clarified.

     


    Visit: anITKB.com, an IT Knowledge Base.
    Friday, June 4, 2010 8:30 PM
  • Hello,

    after reading the DPM installation article again, i assume that the RODC local administrator group is meant, according to:

    Administrator role separation

    Administrator role separation specifies that any domain user or security group can be delegated to be the local administrator of an RODC without granting that user or group any rights for the domain or other domain controllers. Accordingly, a delegated administrator can log on to an RODC to perform maintenance work, such as upgrading a driver, on the server. But the delegated administrator is not able to log on to any other domain controller or perform any other administrative task in the domain. In this way, a security group that comprises branch users, rather than members of the Domain Admins group, can be delegated the ability to effectively manage the RODC in the branch office, without compromising the security of the rest of the domain.

    Of course that can be made more clear in the article.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, June 4, 2010 8:42 PM