Domain Controller Local Administrators Group

Domain admins are by default members of the local administrators groups on all member servers and workstations in their respective domains.

Domain controller local administrators group. Unfortunately domain controllers don t have the local users and groups databases once they re promoted to a domain controller. Depending on what your needs are you might be able to add the user or service account into the domain administrators group within active directory. Name the group as local admin.

However the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. In this way the branch user can be delegated the ability to effectively. You cannot add a domain user account to the local administrators group on domain controllers.

The same holds true for populating the local admins group via the restricted groups feature in group policies. I will add two users say tom and bob. You can delegate local administrative permissions for an rodc to any domain user without granting that user any user rights for the domain or other domain controllers.

As stated in the comments either method will result in adding the domain user to the domain group builtin administrators which will then grant that user administrative permissions to active directory. Add the help desk members to the local admin group. This permits a local branch user to log on to an rodc and perform maintenance work on the server such as upgrading a driver.

Log onto a domain controller open active directory users and computers dsa msc create a security group name it local admin. There is a lovely security setting that has been around for many years restricted groups which can be controlled via local security policies of via gpo. Within active directory search for your builtin administrators group and add your service or user account into that.

This default nesting should not be modified for supportability and disaster recovery purposes. One of the issues that data center or even any windows administrator has is managing the local administrators group on each and every one of their domain members.