No announcement yet.

Delegation of Rights for Specific Domain Controllers

  • Filter
  • Time
  • Show
Clear All
new posts

  • Delegation of Rights for Specific Domain Controllers

    In an attempt to delegate location-specific rights to localized administrator groups, I've run into a couple of interesting problems.

    While I have no issues dealing with OU-specific delegation of administrative rights related to workstations and non-DC servers, the issue relates to selective delegation of authority for the administration of domain controllers.
    Basically delegation of rights for the purposes of managing only specific domain controllers is hampered by Microsoft's concept of Domain Local groups. Owing to the fact that all domain controllers share an Admnistrators group and a Remote Desktop Users group, it does not seem to be possible to delegate Remote Desktop access and administrative share access to specific domain controllers; access to one means access to all. (In this case, the the intent is not to grant complete administrative access to these domain controllers, but rather to just these basic capabilities.)

    It appears that:
    1. Access to administrative shares absolutely requires membership in the Administrators group.
    2. Remote Desktop access absolutely requires membership in the Remote Desktop Users group, at least under W2K3 and w2k8.

    With respect to Remote Desktop, I have attempted, rather than using the Remote Desktop Users group, to make use of the group policy "Allow logon through Remote Desktop Services" (a/k/a "Allow logon through Terminal Services") option as well as granting permissions for the rdp-tcp connection in Teminal Services Manager. I have had no luck with this approach. I'll assume that this may not be possible.

    As for the administrative share access, I can certainly set up parallel non-administrative shares with the correct access rights - this may have to suffice.

    Any thoughts?