Read Only Domain Controller - local Admingroup

Robert Wegner · 24th February 2010

Hi,

i'm currently testing W2k8- RDOC. I read an tutorial where
i learned that in opposite to a DC an RDOC has a local
admin-group. It said in order to add a user to the local admins
you should use dsmgmt and add the user to the local role
administrators. So i added "testadmin1".
As far as i can tell that worked fine.

But, in my test-domain (where the RDOC is located as well)
i also have a GPO in place, which adds a group called
"client-admins" to the local admingroup on every server and
client.

Now, on the RDOC at the commandline, when i type
"...local roles: show role administrators"
it shows only "testadmin1".
When i type "net localgroup administrators" it shows
two members, the "administrator" and the group "client-
admins" from the GPO.
Why is that?

thanks and best regards,

rob

Marcos Paione · 24th February 2010

Well RODC has a specific feature named Administrator Role Separation, that's
means that you could have users in local Admin group without impact AD ,
from that point of view RODC has the same behavior that a member server and
for that reason the GPO is populating the group.

--

Saludos
Marcos Paione
MCSA,MCSE,MCDBA,MCITP,CCNA
marcospaionenospam@hotmail.com

"Robert Wegner" <robweg@gmx.net> wrote in message
news

ZadnU7S86jt6xnWnZ2dnUVZ7vednZ2d@giganews.com...
> Hi,
>
> i'm currently testing W2k8- RDOC. I read an tutorial where
> i learned that in opposite to a DC an RDOC has a local
> admin-group. It said in order to add a user to the local admins
> you should use dsmgmt and add the user to the local role
> administrators. So i added "testadmin1".
> As far as i can tell that worked fine.
>
> But, in my test-domain (where the RDOC is located as well)
> i also have a GPO in place, which adds a group called
> "client-admins" to the local admingroup on every server and
> client.
>
> Now, on the RDOC at the commandline, when i type
> "...local roles: show role administrators"
> it shows only "testadmin1".
> When i type "net localgroup administrators" it shows
> two members, the "administrator" and the group "client-
> admins" from the GPO.
> Why is that?
>
> thanks and best regards,
>
> rob

Robert Wegner · 24th February 2010

Marcos Paione schrieb:
> Well RODC has a specific feature named Administrator Role Separation, that's
> means that you could have users in local Admin group without impact AD ,
> from that point of view RODC has the same behavior that a member server and
> for that reason the GPO is populating the group.
>

Thanks Marcos. But who is admin on the RDOC now? Just the one i put
in via dsmgmt, or just the ones that are coming from the GPO, or both
of them? And why is dsmgmt and net groups showing different results when
asking who's in the administrators-group?

Thanks again,
best regards, rob