Which permissions are required to allow a user to work on a domain controller

Home Forums Microsoft Networking and Management Services Active Directory Which permissions are required to allow a user to work on a domain controller

This topic contains 6 replies, has 6 voices, and was last updated by  Hirsch 1 year, 1 month ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author

  • JDMils

    I need to allow a user the permissions to create folders, share folders, write to the registry and restart services on a domain controller and would like to ask how do I setup these permissions for that user?



    Add them to the Domain Admins Group.


    Thanks Biggles, I was hoping that I could add granular permissions to allow the user to do the work without making them a domain admin but it seems from my testing that your suggestion is the only way.


    I have to ask WHY your users need to be able to do this, as it is against all best practice. Allowing file access, and worse, registry editing, on a DC risks security at the core of your network. Best practice, especially with virtualisation, is to use the DC only for authentication and DNS – even DHCP is frowned upon now.


    I’m sure that one could, in the process of testing, run procmon and regmon to see if they could get further idea
    but it’s just far easier to make a DC the realm of a DA. put your file system and shared on a fileserver.


    In days of old and NT 4.0 Server, there was, from memory, a “Junior” Administrator mode set of permissions. The person was listed as being in the Administrators Group on the Server but was limited in what they could actually do. One restriction that I do specifically remember was that they could not edit the registry. It has been many years since I learned about this and I cannot remember how it was applied but was in the NT4.0 Server or Enterprise Study Guide published by New Rider and it wasn’t just instructions that they could only use Regedt32 to look at the registry.

    Something for you to DuckDuckGo during the xmas break Mr Mils. [ATTACH=JSON]{“data-align”:”none”,”data-size”:”medium”,”data-attachmentid”:515509}[/ATTACH]


    Your forgetting that a DC does not have local users or groups thus you cannot simply add a user to a local group.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.