Enabling
Domain Controllers Permissions with limited privileges
Object
The LAB describes for enabling DC
permissions with limited access, and users can perform server related administration task on the dc.
Once
user is part of Server Operators group,
they will be allowed to perform
- Allowed to RDP the DC Server
- Shutdown the Domain Controller
- Restart Server services
- Domain Controller Time Change
Users are not
Allowed
- ADUC (Read Only Permission)
- GPO (Read Only Permission)
- Server NIC Administration
Let Starts the Testing
Created User & Granted Permission
User Name : RBadam
Permission : Server Operators
Login RBadam
in DC
Open ADUC
When Server
Operators trying to access DSA.MSC, UAC will be prompted to reauthenticate the services, once the
credential screen passed, they will be allowed DSA MMC console based on their Delegation Permissions.
Their permissions are confined and they will not allow
creating objects in AD.
Delete options are restricted.
Open GPMC
GPO Console would be Read Only, that standard for all
domain users.
Delete GPO Permission
Open DNS
Server NIC Configuration
- Allowed to View IP Configuration
- Allowed to View the Status
- Not Allowed to Disable / Enable
- Not Allowed IPAddress Change
*************** Happy Learning *************
