Want to make an Admin for only one Domain Controller

We have 4 DCs. I want to give full administrative privileges to a user, but
only for that one DC. On all other servers I want him to be treated as a
standard Domain User.

How do I do that? Is it possible?

If it's NOT possible (or simple enough) I intend to demote that DC and then
make him a local admin.

Thanks!

If the DC is in a different site than the others, yes. Open AD Sites and
Services, right-click on the site containing that DC, and select Delegate
Control. This opens the Delegate Control Wizard, which you can complete to
give this user administrative control within that site.
Since the Delegate Control Wizard is only available for AD containers, if
the DC is in the same site as the others, you would have to move the DC to an
OU other than the Domain Controllers OU, which is generally not recommended.
You might want to try creating a child OU within the Domain Controllers OU,
adn moving the DC into that. I'e never actually done that, but it might be
worth a try.

Good Luck!

"OscarVogel" wrote:

> We have 4 DCs. I want to give full administrative privileges to a user, but
> only for that one DC. On all other servers I want him to be treated as a
> standard Domain User.
>
> How do I do that? Is it possible?
>
> If it's NOT possible (or simple enough) I intend to demote that DC and then
> make him a local admin.
>
> Thanks!
>
>
>

That is not possible. About the best you could so is to look at privileged
groups such as server operators and network configuration operators to add
the user to in order to let him to some extra functions but then he would
have those extra powers over all domain controllers. --- Steve


"OscarVogel" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We have 4 DCs. I want to give full administrative privileges to a user,
> but only for that one DC. On all other servers I want him to be treated as
> a standard Domain User.
>
> How do I do that? Is it possible?
>
> If it's NOT possible (or simple enough) I intend to demote that DC and
> then make him a local admin.
>
> Thanks!
>

I am doubting this as a solution.
The poster wants the account to be admin on the one DC.
The only way to be admin is to be admin, which is then that
way for all DCs of the domain, whether via the domain's
Administrators group or the Domain Admins group.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"David V" <(E-Mail Removed)> wrote in message
news:26EA3DF0-E8AA-4CE6-954C-(E-Mail Removed)...
> If the DC is in a different site than the others, yes. Open AD Sites and
> Services, right-click on the site containing that DC, and select Delegate
> Control. This opens the Delegate Control Wizard, which you can complete
> to
> give this user administrative control within that site.
> Since the Delegate Control Wizard is only available for AD containers, if
> the DC is in the same site as the others, you would have to move the DC to
> an
> OU other than the Domain Controllers OU, which is generally not
> recommended.
> You might want to try creating a child OU within the Domain Controllers
> OU,
> adn moving the DC into that. I'e never actually done that, but it might
> be
> worth a try.
>
> Good Luck!
>
> "OscarVogel" wrote:
>
>> We have 4 DCs. I want to give full administrative privileges to a user,
>> but
>> only for that one DC. On all other servers I want him to be treated as a
>> standard Domain User.
>>
>> How do I do that? Is it possible?
>>
>> If it's NOT possible (or simple enough) I intend to demote that DC and
>> then
>> make him a local admin.
>>
>> Thanks!
>>
>>
>>

demote it

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"OscarVogel" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We have 4 DCs. I want to give full administrative privileges to a user,
> but only for that one DC. On all other servers I want him to be treated as
> a standard Domain User.
>
> How do I do that? Is it possible?
>
> If it's NOT possible (or simple enough) I intend to demote that DC and
> then make him a local admin.
>
> Thanks!
>

Thanks for the help.

I'd LIKE to try creating a child OU within the Domain Controllers OU,
and moving the DC into that, just to see if it would work.

But I it's not a good time to experiment, so I demoted it.

Thanks again!


"OscarVogel" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> We have 4 DCs. I want to give full administrative privileges to a user,
> but only for that one DC. On all other servers I want him to be treated as
> a standard Domain User.
>
> How do I do that? Is it possible?
>
> If it's NOT possible (or simple enough) I intend to demote that DC and
> then make him a local admin.
>
> Thanks!
>

That would not work for what you want as it would not mitigate any threat of
the user having administrator powers over the whole domain and all domain
controllers. You can not delegate for instance the ability of a user to
install software, changed NTFS permissions, edit Local Security
Policy/import security templates, or add hardware to a domain controller.
Delegation is used to give non administrators the ability to manage most
Active Directory functions such as edit Group Policy and create/manage non
privileged users and computer accounts. --- Steve


"OscarVogel" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for the help.
>
> I'd LIKE to try creating a child OU within the Domain Controllers OU,
> and moving the DC into that, just to see if it would work.
>
> But I it's not a good time to experiment, so I demoted it.
>
> Thanks again!
>
>
> "OscarVogel" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> We have 4 DCs. I want to give full administrative privileges to a user,
>> but only for that one DC. On all other servers I want him to be treated
>> as a standard Domain User.
>>
>> How do I do that? Is it possible?
>>
>> If it's NOT possible (or simple enough) I intend to demote that DC and
>> then make him a local admin.
>>
>> Thanks!
>>
>
>

No. Absolutely not.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



David V wrote:
> If the DC is in a different site than the others, yes. Open AD Sites and
> Services, right-click on the site containing that DC, and select Delegate
> Control. This opens the Delegate Control Wizard, which you can complete to
> give this user administrative control within that site.
> Since the Delegate Control Wizard is only available for AD containers, if
> the DC is in the same site as the others, you would have to move the DC to an
> OU other than the Domain Controllers OU, which is generally not recommended.
> You might want to try creating a child OU within the Domain Controllers OU,
> adn moving the DC into that. I'e never actually done that, but it might be
> worth a try.
>
> Good Luck!
>
> "OscarVogel" wrote:
>
>> We have 4 DCs. I want to give full administrative privileges to a user, but
>> only for that one DC. On all other servers I want him to be treated as a
>> standard Domain User.
>>
>> How do I do that? Is it possible?
>>
>> If it's NOT possible (or simple enough) I intend to demote that DC and then
>> make him a local admin.
>>
>> Thanks!
>>
>>
>>

Demote the server. Anything you try to do can be defeated.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



OscarVogel wrote:
> We have 4 DCs. I want to give full administrative privileges to a user, but
> only for that one DC. On all other servers I want him to be treated as a
> standard Domain User.
>
> How do I do that? Is it possible?
>
> If it's NOT possible (or simple enough) I intend to demote that DC and then
> make him a local admin.
>
> Thanks!
>
>