I have installed the RSAT Tools on my Windows 7 Machine and created the ADUAC MMC console I can access AD ok - but i have limited functionality - Cant change passwords, unlock accounts etc.. Now i have two account and normal user and an admin account. I have logged onto my PC has normal user but i have my admin account on my machine and the UAC set to automatically use the admin account. If i try to run the MMC with my admin account it faills with an error Has anybody else seen this problem? Domain and Forest is Server 2008 Thanks

You need to log on with a domain administrator account to edit AD components. It is not related to UAC. When you logon with the normal user and access AD via RSAT, server will authenticate your certificate. In domain it can be Kerberos or NTLM authentication. The authentication pack that is sent from your computer will only include the current logged on account. Then the access will be confirmed as a low-privilege access.Arthur Xie - MSFT

Is it possible to somehow launch the RSAT tools on XP and connect to a different domain and have it prompt for the authentication to use?

Hi everyone. Is there posibility to set up permission (local gpo on dc or smth) to administter DC via RSAT without login on client machine with domain admin credentials?

Essentially no way to set permissions for this (also no local GPO on DCs). What it sounds like you're after is something like Sysinternals' ShellRunAs (http://technet.microsoft.com/en-ca/sysinternals/cc300361.aspx) which I use to run RSAT tools with a separate, privileged account. You log on to your computer with your day-to-day user ID/password and use ShellRunAs' context menu to launch RSAT tools with domain admin or privileged account. For nf69 - At least for the mmc-based tools you can start a new mmc console and add in each of the old-school admin tools (aduc/dom+trusts/sites/etc) and connect to the other domain (once dns/trusts/etc are setup). When you connect to the other domain you can "Save this domain setting for the current console". Save the console and then with Sysinternals' ShellRunAs you might be able to start the new console session with alternate credentials from the other domain.

Thank You BWalter for link for this tool :)