Windows: How to "hide" domain details from (domain) administrator?
I have a small Windows-based network in our company, incl. a Win2008 server as domain controller and a second, older Win2003 server as kind of "backup" domain controller. Now I want to let one of my co-worker access the Win2003 server, incl. local admin priviledges.
However, this account should only get local admin rights on that server, nothing else. So I basically want to prevent this account from accessing or at least modifying any Windows Domain settings (Active Directory). Nor should he be able to log into any other machine except this old server. He must be able to (de-)install programs and start/stop services on that though.
Any way to do this? Thanks in advance for your help!
Kind regards, Matthias
You can't make someone an Administrator on a DC and prevent them from accessing things like ADUC, GPO, etc. You'd be making them a member of Built-in\Administrators on the Domain, which will then allow them to do whatever they want.
There are no local accounts on a DC.
This is one of the reasons why you use Domain Controllers for only Active Directory and DNS and run other services on other servers. It's much easier to manage delegation and it's much more secure/stable.
Putting them in the Server Operators group will give you that functionality, but my understanding is that it will also give them the ability to "upgrade" their accounts if they wish since they have Server Operator rights.
You won't be able to prevent them from doing anything once they have "admin level" rights to a DC.
Joe Richards over at JoeWare has commented on this in the past in his blogs I believe. Basically, don't grant someone access to a DC if you don't trust them with everything.
Just throwing this out as an idea because I'm not sure if it'll work like you want it to or not, but maybe you can consider adding him to the Power Users group on the machine. That should give him enough privileges to install software on the machine. Without being in at least the Domain Admins group or explicitly granted permissions to the Active Directory information, I don't think he'd be able to touch any of that stuff. Maybe create a test domain user, put him in the same group as your co worker and add him to the Power User group of the machine and see what you can and cannot access.
Edit: See joeqwerty's comment... it looks like Power User group doesn't exist on DCs