locked
Allowing non Domain Admins to run ADUC on a DC? RRS feed

  • Pytanie

  • We have a need to allow a remote support technician the ability to log into a DC at that site to administer a specific OU for that site.  I set permissions to allow the account to log into the DC through Remote Desktop but it cannot run ADUC or even just MMC and add ADUC to the snapin without making that account a member of the Builtin "Account Operators" group. 

    If we make it a member of Account Operators then it can modify other OU's, even though we've only delgated it that specific OU.

    What is necessary to run ADUC so that this acount can manage the OU in question but not other OU's? 

    I know we could install tools on a seperate workstation but we'll need this account to be able to log into the DC itself anyway should it become inaccessble.

    Thanks in advance!

    wtorek, 20 marca 2012 03:35

Odpowiedzi

  • You can give membership of Backup Operator Group to that particular member and then can delegate thepermission on particular OU. Afetr applying this user would be able to login and also would be able to open ADUC console. Moreover he would not be able to make any change for any object except the OU objects for which you gave delegation.
    • Oznaczony jako odpowiedź przez CGITsupport wtorek, 20 marca 2012 21:24
    wtorek, 20 marca 2012 04:21
  • A normal domain user can read all the objects in the AD using ADUC w/o additional privilege until something is explicitly configured to deny them. You can install adminpak.msi or RSAT tool to access ADUC from the client workstation or server.

    Try to install adminPak.msi (it is available in windows 2003 media or you can download from here http://www.microsoft.com/download/en/details.aspx?id=16770)on the workstation part of the domain which is running windows XP system. To install adminpak.msi, you need local system admin access and after that you can run ADUC w/o any additonal support. To use it using delegated admin rights, you can use runas option.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Zaproponowany jako odpowiedź przez Meinolf Weber wtorek, 20 marca 2012 07:16
    • Oznaczony jako odpowiedź przez Rick Tan wtorek, 20 marca 2012 07:24
    wtorek, 20 marca 2012 05:24

Wszystkie odpowiedzi

  • You can give membership of Backup Operator Group to that particular member and then can delegate thepermission on particular OU. Afetr applying this user would be able to login and also would be able to open ADUC console. Moreover he would not be able to make any change for any object except the OU objects for which you gave delegation.
    • Oznaczony jako odpowiedź przez CGITsupport wtorek, 20 marca 2012 21:24
    wtorek, 20 marca 2012 04:21
  • A normal domain user can read all the objects in the AD using ADUC w/o additional privilege until something is explicitly configured to deny them. You can install adminpak.msi or RSAT tool to access ADUC from the client workstation or server.

    Try to install adminPak.msi (it is available in windows 2003 media or you can download from here http://www.microsoft.com/download/en/details.aspx?id=16770)on the workstation part of the domain which is running windows XP system. To install adminpak.msi, you need local system admin access and after that you can run ADUC w/o any additonal support. To use it using delegated admin rights, you can use runas option.


    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Zaproponowany jako odpowiedź przez Meinolf Weber wtorek, 20 marca 2012 07:16
    • Oznaczony jako odpowiedź przez Rick Tan wtorek, 20 marca 2012 07:24
    wtorek, 20 marca 2012 05:24
  • Domains users by default have a read access to Active directory objects.

    Refer below link to understand this better.

    http://www.windowsecurity.com/articles/installing-using-remote-server-administration-tools-rsat-vista.html

    Above link explains step by step procedure to install the RSAT Tool.

    For Legacy operting systems (XP, windows server 2003) you need to use adminpak.msi.

    http://support.microsoft.com/kb/314978

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    wtorek, 20 marca 2012 06:17
  • Hello,

    there is no need for logon to the DC itself to manage a specific OU. Use a workstation with RSAT(Windows Vista or higher) or adminpak installled and use delegate control wizard on the OU to give the required permissions ONNLY. Therefore create an own security group and work with that one, the builtin security groups have to manyu permissions beside the ones you like to have.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    wtorek, 20 marca 2012 07:18
  • Thanks Vinay.  This is what I was looking for.  It does allow the account to now open ADUC on the DC itself and it can't modify objects in other OU's but the one we delegated for it.  Much apprecaited!
    wtorek, 20 marca 2012 22:26
  • Hi Awinish.  Like I said in my original post, I realize we could use the Remote Server Admin Tools for Windows 7 but we want the ability to log int he DC itself anyway in case the server is not accessbile to us.

    We found the problem is that the account couldn't open ADUC on the DC itself unless I made it a member of Account Operators group.  However it could then also modify objects in OU's we didn't delegate to that account.  Vinay's suggestion to use the Backup Operators group works to allow running ADUC on the DC but not modify object that aren't in the OU we've deletated.

    Thanks for the suggestion I do appreciate your quick response.

    wtorek, 20 marca 2012 23:12
  • I agree. Allowing *anyone* other than a domain admin to logon to a domain controller seems dangerous, even if you take the time to work out ways to limit access to just what they need. that is more easily and reliably done on a workstation that does not have any significant domain-related roles.


    Al Dunbar

    środa, 21 marca 2012 03:09
  • Hello - Adding non-admin user to "Backup Operators" membership did not work to get ADUC.

    Working on Server 2008 R2, I created a non-admin user and gave specific "Delegation Control" just as this article says.  http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/3f0dbf8e-636b-45fe-93db-f788d5b976fd/      I gave that user Remote Desktop ability.  (one thing at a time as far as going to using remote tools like RSAT or adminpak.msi for XP ) However the user can still NOT execute ADUC.  Even with adding the "Backup Opperators" membership.  The user gets a pop-up "User Account Control" asking to elevate - which defeats the purpose.  The Program location: in question is (there are 2) ...mmc.exe and ...dsa.exe - which makes sense.   I tried gpedit but it is complicated.   

    Can anyone lend a hand?  Thank you


    • Zmodyfikowany przez rs120p środa, 3 października 2012 19:03 typo
    środa, 3 października 2012 19:01
  • i'm aware that this question is 7 years old.. but i'm facing the exactly same issue and asked myself, if you ever found a solution.

    i delegated control in AD to the RootDSE for a specific user. This user has the right to log in to Domain Controller using RDP->

    • Start Local Group Policy Editor (gpedit.msc);
    • Go to the section Computer Configuration -> Windows settings -> Security Settings -> Local policies -> User Rights Assignment;
    • Find the policy Allow log on through Remote Desktop Services;

    now when the user logged in to the domain controller and tries to start dsa.msc (ADUC), he gets a prompt asking for the password.. silly design .. but must have a purpose .. i just don't understand which privilege is required in order to make this work..

    cheers

    Chris


    Christian

    czwartek, 3 października 2019 06:26
  • I just tried this. I made my non-admin user a member of BACKUP OPERATORS on my domain controller. I log in with that account, try to open ADUC, andd I get the UAC prompt for admin credentials. I simply enter the credentials of the non-admin account and it opens ADUC successfully. Fully restricted as expected too, except for the OU's it has been delegated to manage. Try it.
    piątek, 31 lipca 2020 21:18