Domain Controller Local Admin Group

When you promote a computer to a domain controller the local authentication repository is used to store domain accounts.

Domain controller local admin group. From an administrative command prompt you can run net localgroup administrators add domain user without the brackets. Since domain controllers don t have a local administrators group the dc updates the domain administrators group by adding server admins. Click ok three more times. This permits a local branch user to log on to an rodc and perform maintenance work on the server such as upgrading a driver.

This will grant local permissions to the. Under log on as select the this account option. This scenario makes all members of server admins active directory admins. You re only left with domain users accounts.

In all honesty having local users on a. Local administrator may not be a good group to add users to on a domain controller however for other purposes like event log reader and the like this worked well. You can however setup local administrators on read only dcs rodcs on windows 2008 domain controllers and higher. Since there is no longer a set of local users groups etc.

If you have a domain trust setup you can also add accounts from other trusted domains. Click browse type the name of an account that is a member of the domain admins group click check names and click ok. How to add domain group to local administrators group. Microsoft opt ed to only allow 1 authentication repository for 1 computer.

Membership can be modified by members of the service administrator groups in its domain administrators and domain admins and by members of the enterprise admins group. We often find that a servers gpo is also linked to the domain controllers ou and it adds a server admins group to the local administrators group. You can run command net localgroup to display all groups and chose the one that s best suited for a service account s least privilege access. However the branch user.

This avoids adding each of the users separately to the local group. The domain admins group controls access to all domain controllers in a domain and it can modify the membership of all administrative accounts in the domain. Under password and confirm password type the selected account s password and click ok. You can delegate local administrative permissions for an rodc to any domain user without granting that user any user rights for the domain or other domain controllers.

This is considered a service administrator account because its members have full access to the domain controllers in a domain.