Quantcast
Channel: Directory Services Forum
Viewing all articles
Browse latest Browse all 2536

Can you allow MMC/ADUC Snap-in for a Domain User on a Domain Controller

$
0
0

There are a lot of articles on this and I got it all to work using 2 servers.  

I loaded RSAT (just the "AD DS and AD LDS Tools" i.e. MMC) on a standalone server2008R2 with a user login (call it pwdhelpdesk / group "Users").   I created the same user (pwdhelpdesk / Group "Domain Users") on the DC and went through all the "Delegate Control" stuff using this article.  http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/3f0dbf8e-636b-45fe-93db-f788d5b976fd/

I then tied the 2 servers together using this article http://technet.microsoft.com/en-us/library/dd759202.aspx

Back on the standalone server log in as "pwdhelpdesk" -> start MMC -> load the ADUC snap-in -> select ""Connect to Domain..." = the current source user "pwdhelpdesk" goes over to the DC as remote user "pwdhelpdesk" with "Delegated Control" for only password reset / unlock account. - PERFECT

NOW TO SET UP MY QUESTION: However - when "pwdhelpdesk" logs directly onto the DC - when attemping to run MMC or ADUC - the User Access Controls deny the ability.  Some articles say make "pwdhelpdesk" a member of Backup Operators, or Server Operators or even disable UAC.  None of these seem any good at all.

THE QUESTION: Can a non-admin (Domain User) be configured precisely / surgically to execute MMC or ADUC on a DC?  Please don't say it is not recommended for users to log in to a DC.  I just want to know if it is possible - so I can be thorough in my "help desk reset password / unlock account" architectural report to management.

BTW: I prefer the 2 server method - The standalone can run TS and multiple user CAL Licenses and act as a sort of Jump Host.

Thank you.


Viewing all articles
Browse latest Browse all 2536

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>