Announcement

Collapse
No announcement yet.

Which permissions are required to allow a user to work on a domain controller

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Which permissions are required to allow a user to work on a domain controller

    I need to allow a user the permissions to create folders, share folders, write to the registry and restart services on a domain controller and would like to ask how do I setup these permissions for that user?

    Thanks.
    Last edited by JDMils; 15th December 2017, 01:38.
    |
    +-- JDMils
    |
    +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
    |

  • #2
    Add them to the Domain Admins Group.
    Last edited by biggles77; 15th December 2017, 19:51.
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      Thanks Biggles, I was hoping that I could add granular permissions to allow the user to do the work without making them a domain admin but it seems from my testing that your suggestion is the only way.
      |
      +-- JDMils
      |
      +-- Regional Systems Engineer, DotNet programmer & Jack of all trades
      |

      Comment


      • #4
        I have to ask WHY your users need to be able to do this, as it is against all best practice. Allowing file access, and worse, registry editing, on a DC risks security at the core of your network. Best practice, especially with virtualisation, is to use the DC only for authentication and DNS - even DHCP is frowned upon now.
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          I'm sure that one could, in the process of testing, run procmon and regmon to see if they could get further idea
          but it's just far easier to make a DC the realm of a DA. put your file system and shared on a fileserver.
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            In days of old and NT 4.0 Server, there was, from memory, a "Junior" Administrator mode set of permissions. The person was listed as being in the Administrators Group on the Server but was limited in what they could actually do. One restriction that I do specifically remember was that they could not edit the registry. It has been many years since I learned about this and I cannot remember how it was applied but was in the NT4.0 Server or Enterprise Study Guide published by New Rider and it wasn't just instructions that they could only use Regedt32 to look at the registry.

            Something for you to DuckDuckGo during the xmas break Mr Mils. Click image for larger version

Name:	xmastree.gif
Views:	1
Size:	1.9 KB
ID:	515509

            Comment


            • #7
              Your forgetting that a DC does not have local users or groups thus you cannot simply add a user to a local group.

              Comment

              Working...
              X