How to give an account local admin rights (ONLY) on a Domain Controller

Microsoft Windows
Microsoft Windows Server 2003
Windows Server 2000
I have a few Windows Servers (2000/2003) which are monitored by a managed services company. I want to give these guys a domain account with the following rights:
  1. Restart services on any server in the domain
  2. Reboot any computer in the domain (there are only servers in this domain)
  3. Nothing really higher level than that.
I have 3 questions related to this:
  1. What is the minimum access rights I can delegate to this account to achieve what I want to give them, but nothing more?
  2. What's the easiest way of actually delegating these access rights?
  3. How do I delegate these suggested rights on a DC? (as DC's have no local accounts or groups). There are 2 DC's in this domain.
I need suggestions for both Windows 2000 and Windows 2003 as I'm giving them rights to 2 domains, 1 has Windows 2000 servers and one has 2003. Thanks

Answer Wiki

Thanks. We'll let you know when a new response is added.


There are a couple ways that you can accomplish this. First and probably the easiest, is to assign the user accounts to one of the built-in security groups that would meet the criteria of what you want the users to do, such as ‘Local Administrator’ group, Domain Admins, Backup Operators, etc.

The other option would be to delegate administrative permissions through AD. You can do this by right-clicking on an OU within AD and select the ‘Delegate Control’ option from the options menu. This starts the ‘Delegate Control’ wizard which will walk you through the process. This option will allow you to get very granular in way you can grant a user rights to perform select administrative tasks.

Good luck!

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • IT0
    Please follow the steps and you will be able to Assign local Admin rights. Go to Start->Control Panel->Administrative Tools->Computer Management->Local User and Groups->Goups->Administrator-> and then click on Add and enter the user name, its should appear otherwise add as domain_namusername. Thanks, Saqib Ullah
    10 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: