I'd like to give give a particular AD Security Group rights on my AD Domain Controllers. I do not want to use Domain Admins for this. I notice there doesn't appear to be a way of adding groups to local administrator groups on DC's. Is there another way to give an AD Security Group rights to administer a DC without using Domain Admins? pajoryan123

Hi there,Unfortunately there isn't. Ofcourse you can delegate management tasks, but "full" server management on a DC requires Domain Admins.Regards,Stefan Hazenbroek

Is it possible to delegate the right to an account/group to log into a DC using RDP without making that account/group a member of Domain Admins?pajoryan123

Hi,Yes you can. You need to grant the users/group the access to log on locally on the machine though, you can do that in the Default Domain Controllers Policy or any other policy you use for your DC's. Check out http://support.microsoft.com/kb/234237/ for information on how to do this.Keep in mind though that a DC is a very delicate machine that requires special management in comparison to a regular Member Server. It would be best to minimize the users that are able to logon to your DC except your AD team, that should have Domain Admins rights anyway.Regards,Stefan Hazenbroek

Although Stefan may be correct, I have accidentally ran into this the other day. I found there is an Administrators group in the domain, and when I experminted with it a bit, I found it had rights to the DC's, but not the members. Perhaps someone else can elaborate, but I think this may be what you want to do, if not the best admin plan.blankmonkey

Hi BlankMonkey,Yes, if a user is member of the Administrators group on DC but not a member of domain admins, he does not have the administrative permissions to member servers. However, he has permission to do anything on the DC, including adding himself to the domain admins group.pajoryan123, to logon DC via RDP, the user right "Allow log on through Terminal Services" is required. As Stefan stated, you'd better minimize the users that are able to logon DCs. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

a user is member of the Administrators group on DC but not a member of domain admins, he does not have the administrative permissions to member servers. However, he has permission to do anything on the DC, including adding himself to the domain admins group.pajoryan123, to logon DC via RDP, the user right "Allow log on through Terminal Services" is required. As Stefan stated, you'd better minimize the users that are able to logon DCs. Joson, Is is possible to allow a user or group the permission to "allow log on through Terminal Services" but not have them a member of administrators, server operators or remote desktop users?thanks,pajoryan123

Hi there, Yes, you can. When you open up TS Configuration on your DC and choose the properties of RDP-Tcp. Assign the user/group the permissions: - Allow log on to terminal server. - Access this computer from the network. - Allow log on locally. This should work to have another group that has permissions to log on to the DC. Regards, Stefan Hazenbroek Edit: I clicked the wrong "Propose As Answer" by accident.