Driver Scanner 2012 - Free Scan Now
Results 1 to 3 of 3

Thread: Read Only Domain Controller - local Admingroup

  1. #1
    Robert Wegner Guest

    Default Read Only Domain Controller - local Admingroup

    Hi,

    i'm currently testing W2k8- RDOC. I read an tutorial where
    i learned that in opposite to a DC an RDOC has a local
    admin-group. It said in order to add a user to the local admins
    you should use dsmgmt and add the user to the local role
    administrators. So i added "testadmin1".
    As far as i can tell that worked fine.

    But, in my test-domain (where the RDOC is located as well)
    i also have a GPO in place, which adds a group called
    "client-admins" to the local admingroup on every server and
    client.

    Now, on the RDOC at the commandline, when i type
    "...local roles: show role administrators"
    it shows only "testadmin1".
    When i type "net localgroup administrators" it shows
    two members, the "administrator" and the group "client-
    admins" from the GPO.
    Why is that?

    thanks and best regards,

    rob

  2. Sponsored Links



  3. #2
    Marcos Paione Guest

    Default Re: Read Only Domain Controller - local Admingroup

    Well RODC has a specific feature named Administrator Role Separation, that's
    means that you could have users in local Admin group without impact AD ,
    from that point of view RODC has the same behavior that a member server and
    for that reason the GPO is populating the group.

    --

    Saludos
    Marcos Paione
    MCSA,MCSE,MCDBA,MCITP,CCNA
    marcospaionenospam@hotmail.com

    "Robert Wegner" <robweg@gmx.net> wrote in message
    newsZadnU7S86jt6xnWnZ2dnUVZ7vednZ2d@giganews.com...
    > Hi,
    >
    > i'm currently testing W2k8- RDOC. I read an tutorial where
    > i learned that in opposite to a DC an RDOC has a local
    > admin-group. It said in order to add a user to the local admins
    > you should use dsmgmt and add the user to the local role
    > administrators. So i added "testadmin1".
    > As far as i can tell that worked fine.
    >
    > But, in my test-domain (where the RDOC is located as well)
    > i also have a GPO in place, which adds a group called
    > "client-admins" to the local admingroup on every server and
    > client.
    >
    > Now, on the RDOC at the commandline, when i type
    > "...local roles: show role administrators"
    > it shows only "testadmin1".
    > When i type "net localgroup administrators" it shows
    > two members, the "administrator" and the group "client-
    > admins" from the GPO.
    > Why is that?
    >
    > thanks and best regards,
    >
    > rob




  4. #3
    Robert Wegner Guest

    Default Re: Read Only Domain Controller - local Admingroup

    Marcos Paione schrieb:
    > Well RODC has a specific feature named Administrator Role Separation, that's
    > means that you could have users in local Admin group without impact AD ,
    > from that point of view RODC has the same behavior that a member server and
    > for that reason the GPO is populating the group.
    >


    Thanks Marcos. But who is admin on the RDOC now? Just the one i put
    in via dsmgmt, or just the ones that are coming from the GPO, or both
    of them? And why is dsmgmt and net groups showing different results when
    asking who's in the administrators-group?

    Thanks again,
    best regards, rob

Similar Threads

  1. Multiple domains on single domain controller
    By Kelly Armitage in forum microsoft.public.windows.server.general
    Replies: 8
    Last Post: 21st February 2010, 09:30
  2. Taking down a domain controller for a short time
    By tnt in forum microsoft.public.windows.server.general
    Replies: 2
    Last Post: 8th January 2010, 12:30
  3. Help domain controller failed
    By Thomas R Grassi Jr in forum microsoft.public.windows.server.general
    Replies: 2
    Last Post: 31st December 2009, 00:13
  4. restore windows 2000 domain controller to SBS2003 domain
    By 2000 server in forum microsoft.public.windows.server.general
    Replies: 1
    Last Post: 31st December 2009, 00:12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Recommended Download



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47