O'Reilly Hacks
oreilly.comO'Reilly NetworkSafari BookshelfConferences Sign In/My Account | View Cart   
Book List Learning Lab PDFs O'Reilly Gear Newsletters Press Room Jobs  

Buy the book!
Windows Server Hacks
By Mitch Tulloch
March 2004
More Info

Grant Administrative Access to a Domain Controller
Here's a hack that will help you secure any domain controllers you have running at a remote site
[Discuss (8) | Link to this hack]

Active Directory has introduced many new levels of complexity to server and security management. For example, if you would like to grant a remote site administrator the rights to install software or services on a domain controller, that person would have to be a domain administrator. Granting that person domain administrator rights introduces the possibility of that user creating new accounts with administrative rights. Obviously, this is not an ideal situation.

The following steps show how to grant a user the same level of rights as an administrator of a member server or a workstation on a domain controller, while preventing that user from having rights to Active Directory.


Please note that this hack does not eliminate all possible security risks, and the users who are granted these rights need to be highly trusted

  1. Log onto a domain controller with full domain administrator rights. Make sure your Active Directory domain is in native mode.

  2. Inside of Active Directory Users and Computers, create a global security group called DCAdmins. Add all users/groups that will need administrative access to the domain controllers to this group.

  3. Create another global security group called DenyDCAdmins.

  4. Add the DCAdmins group to the DenyDCAdmins group.

  5. Inside of Active Directory Users and Computers, right-click on the domain name and choose Properties. Click on the Security tab (if the Security tab is not available, go to the View menu and choose Advanced).

Figure 1. Denying Full Control permission for the DenyDCAdmins global group

Now, all users or groups that are members of the DCAdmins group have full administrative access to all domain controllers but do not have any access to Active Directory.


These users won't even be able to browse Active Directory to apply permissions on shares or files. It is generally a best practice for these users to have two accounts: one for administering the domain controllers and another for day-to-day use.

Overall, this is a great approach to limit security for remote administrators and operations teams that need to be able to make changes on domain controllers. I highly recommend trying this approach before blanketing your Active Directory environment with unnecessary domain administrators.

Tim Mintner

O'Reilly Home | Privacy Policy

© 2007 O'Reilly Media, Inc.
Website: | Customer Service: | Book issues:

All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners.