Q. I have domain controllers (DCs) at remote locations that I need the local IT folks to be able to backup and manage, but I don't want to give them domain admin credentials. Can I do this?

A. Windows Server 2008 introduced the Read Only Domain Controller (RODC), which allows administrator role separation—so a user can be delegated management rights for an RODC without giving them any Active Directory domain administrator privileges. These delegated administrators can not only manage the RODC, they can also promote a server to an RODC, as long as a standard domain admin has pre-provisioned the DC. Note that a user who's delegated management permissions on one RODC doesn't have privileges for other RODCs or DCs.

Users can be made delegated administrators during RODC account provisioning, or after creation by adding users or groups to the administrators group. You can add them from the command line using the command

local roles
add <domain>\<user> administrators

If you want to do this on a remote RODC, use

connect to server <RODC>
local roles
add <domain>\<user> administrators

You can also run the command

show role administrators

to see who the delegated administrators are.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.