Add User or Group as Local Administrator on Domain Controller

Home / Add User or Group as Local Administrator on Domain Controller
Share This:

As a Systems Administrator or Engineer, you might run into a situation where you need to add a user or service account as a Local Administrator on a Domain Controller. Unfortunately, Domain Controllers don’t have the Local Users and Groups databases once they’re promoted to a Domain Controller. Depending on what your needs are, you might be able to add the user or service account into the Domain\Administrators group within Active Directory. This will allow the service account or user to read Event Logs and other administrative tasks.

Within Active Directory, search for your Builtin\Administrators group and add your service or user account into that group. If you have a Domain Trust setup, you can also add accounts from other trusted domains.

From an administrative command prompt, you can run net localgroup Administrators /add {domain}\{user} without the brackets.

You can, however, setup local administrators on Read Only DCs (RODCs) on Windows 2008 Domain Controllers and higher. This will grant local permissions to the server without granting advanced Active Directory permissions.

WARNING: Adding a service or user account to the group above will grant the account permissions to make changes in your Active Directory environment, not just the local Domain Controller server.

By | 2017-01-10T13:41:36+00:00 January 10th, 2017|Categories: Windows|Tags: , , , , , , , |0 Comments

Leave a Comment