Superuser on Domain Controller
-
Hi. How can allow a user (Domain User?) to log on to a DC, and unlock user accounts?. I've created a Group called "SuperUsers". I've added the group Superusers to the Remote Desktop Users, and added the group in the "Allow logon through Terminal Services" option in Local Security Policy - and Delegate Control... by setting the Read/Write lockout properties on user accounts. But when the users tries to start mmc.exe, the users is asked for Administrator credentials. I know that you can do it with Remote Desktop Administrative Tools - but it's an assignment, where it has to be done on the Domain Controller. Edit: Wrong forum. How do i move it to "System Admin"
-
Hi. How can allow a user (Domain User?) to log on to a DC, and unlock user accounts?. I've created a Group called "SuperUsers". I've added the group Superusers to the Remote Desktop Users, and added the group in the "Allow logon through Terminal Services" option in Local Security Policy - and Delegate Control... by setting the Read/Write lockout properties on user accounts. But when the users tries to start mmc.exe, the users is asked for Administrator credentials. I know that you can do it with Remote Desktop Administrative Tools - but it's an assignment, where it has to be done on the Domain Controller. Edit: Wrong forum. How do i move it to "System Admin"
I solved the problem. I need to create an extra GPO, which overrules the "Default Domain Controllers Policy" - and add the SuperUsers group to the "Allow log on locally" property in Policies -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment. Now a normal Domain User can be delegated to job of unlocking users on the domain controller using Remote Desktop.