+ Reply to Thread
Results 1 to 9 of 9
  1. Senior Member
    Join Date
    Aug 2007
    Posts
    208

    Certifications
    CCNA, MCSA+M, MCSE '03, MCITP:EA, MCITP:EMA
    #1

    Default local administrator on domain controller?

    Hey Again

    Ok, i am seeing some things about being made a local administrator on a domain controller. Is this new to 2008? I guess it would kind of make sense to have local groups on DCs since you can stop the AD service, but this still seems odd.


    as always, thanks a ton, you guys are awesome


    john
    Reply With Quote Quote  

  2. SS -->
  3. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #2
    The Administrators group in the Builtin container has always provided this - assuming that's what you meant.
    Reply With Quote Quote  

  4. Google Ninja jibbajabba's Avatar
    Join Date
    Jun 2008
    Location
    Ninja Cave
    Posts
    4,240

    Certifications
    TechExam Certified Alien Abduction Professional
    #3
    Even though you can add a user to the local administrator group (which is necessary when installing WDS for example) you cannot login as such ...

    On Server 2003 you won't see the local server name in the drop down but only the domain and on server 2008 it always defaults to the domain login .. Even though the help suggests you CAN login using local user :



    It will display a wrong username / password message when you trying to do so ...

    Although, I don't honestly know if there is a group policy which does allow it ...
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #4
    Server 2003 DCs technically have a local administrator as well, which is used for DSRM. Maybe this just allows you to manage users who can work with DSRM instead of having to use a single account which is managed through ntdsutil. This is just speculation; this is the first I've heard of this ability.
    Reply With Quote Quote  

  6. Member
    Join Date
    Oct 2008
    Posts
    86
    #5
    There are changes in Server 2008, basically you can grant a domain user local administrative rights to an RODC. Here is a snippet from the 2008 AD Resource Kit:

    "You can delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a drive. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. In this way, the ability to effectively manage the RODC in a branch office can be delegated to a branch user without compromising the security of the rest of the domain."
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #6
    That makes sense. Unfortunately I haven't had a chance to really play with 2008 yet

    Thanks for the info, and welcome to the forums
    Reply With Quote Quote  

  8. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #7
    Ah yes, you're refering to the ability to grant local admin rights on only one or the DCs, gotcha. RODC's have some really cool features, I'm really looking forward to playing with them when they are virtualized on WAN optimization branch office appliances from the likes of Riverbed, Cisco WAAS, etc (most of whom have embraced either VMware or Microsoft as a hypervisor to run on the appliances) - now that's going to be cool.
    Reply With Quote Quote  

  9. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #8
    Quote Originally Posted by dynamik
    Server 2003 DCs technically have a local administrator as well, which is used for DSRM. Maybe this just allows you to manage users who can work with DSRM instead of having to use a single account which is managed through ntdsutil. This is just speculation; this is the first I've heard of this ability.
    Deja Vu.
    Reply With Quote Quote  

  10. BOBBY_TABLES RobertKaucher's Avatar
    Join Date
    Dec 2007
    Location
    Lebanon, Ohio - USA
    Posts
    4,274

    Certifications
    MCSD Web Apps/SharePoint Applications, MCITP: DBA 2005/2008, EA, EDA7, Linux+, Sec+, MCSE, MCDST, MCTS
    #9
    Local administrators is a valid group on a DC. This allows you to grant local administrative access to users and service accounts for the server but does not grant them domain adminisstrative rights. It is incorrect to believe that the SAM database is gone from a DC once it is promoted. If you look in C:\WINDOWS\system32\config on a DC, there it is. The use of local administrators is important for granting rights, expecially to service accounts.

    If you run the 'net localgroup administrators' command on a DC you will get output similar to the following:

    Alias name administrators
    Comment Administrators have complete and unrestricted access to the computer/domain

    Members

    -------------------------------------------------------------------------------
    Administrator
    Domain Admins
    Enterprise Admins
    SQLSvc
    The command completed successfully.

    Notice I have a service account for my SQL server running on this test VM as a local admin, but it is not a domain admin. This is the major reason for granting accounts local administrative rights on a server, with the introduction of the RODC in 2008 there is, as mentioned by another poster, the added reason of allowing the user to administer the server. You do not need to be an explicit member of local admins to turn of AD domain services in 2008. The server is still a member of the domain and can verify group membership to domain admins via another DC or via cached credentials. Adding a standard domain user to local admins on a server will also allow them to sign on to the server, but they will still be unable to administer anything in the active directory. At work, my user account is a local admin on our RightFAX server, for example. I can sign on using my standard user account and run the programs I need to administer RightfFAX but in order to start up support tools and access ADUC I still have to use run as and my "super user" account or the domain administrator account. Adding a user account to the server operators group grants them similar rights.

    But with that all said try running 'net user UserName P@$$w0rd /add' on a DC and see what happens!
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks