Domain Controller Local Administrator Group
This will allow the service account or user to read event logs and other administrative tasks.
Domain controller local administrator group. By default the administrator user account is a member of both of these groups. Tom and bob domain users can now access all pcs remotely as a local administrator. You should see local admin in that group now. This is considered a service administrator account because its members have full access to the domain controllers in a domain.
In this way the branch user can be delegated the ability to effectively. However the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. This scenario makes all members of server admins active directory admins. Make sure all pcs you want to access should be move to an ou and properly link above gpo.
This account is by default a member of the domain admins and administrators groups in the domain and if the domain is the forest root domain the account is also a member of the enterprise admins group. Unfortunately domain controllers don t have the local users and groups databases once they re promoted to a domain controller. The domain admins group has admin rights to the entire domain not specifically domain controllers. Local administrator may not be a good group to add users to on a domain controller however for other purposes like event log reader and the like this worked well.
Within active directory search for your builtin administrators group and add your service or user account into that. Membership can be modified by members of the service administrator groups in its domain administrators and domain admins and by members of the enterprise admins group. Any group account granted logon locally rights to domain controllers should be scrutinized. You can delegate local administrative permissions for an rodc to any domain user without granting that user any user rights for the domain or other domain controllers.
Since domain controllers don t have a local administrators group the dc updates the domain administrators group by adding server admins. You can run command net localgroup to display all groups and chose the one that s best suited for a service account s least privilege access. This permits a local branch user to log on to an rodc and perform maintenance work on the server such as upgrading a driver. In each domain in active directory an administrator account is created as part of the creation of the domain.