Windows 2003 DC - No Option To Logon To Server 2

llcoolg · Jun 28, 2006

Hi there,

I have a Windows 2003 server that is a domain controller. When the server boots up the logon GUI is presented as standard. However, the only option I have in the drop down list is to logon to the domain and not logon locally to the server itself. Simply put the domain name is listed but there is no sign of the server name itself.

Could this be a policy hiding the ability to logon locally? Any advice you could offer would be greatly appreciated.

Regards,
Cool G

pgaliardo · Jun 28, 2006

This is by design. I believe that once you make a server a Domain Controller, the only option is to log onto the domain.

MoobyCow · Jun 28, 2006

pgaliardo is correct. Domain Controllers have no local accoutns.

llcoolg · Jun 28, 2006

Excellent - thanks to you both for posting.

Just replicated it myself on a test server.

Kind Regards,
G.

TheLad · Jun 29, 2006

Sorry to tag onto this thread, but please can someone tell me if it is possible to assign local rights to a Domain Controller?

What I am trying to do is have a Domain account and only grant it Local Administrator rights to the servers in the Domain that the account needs to manage. This is easy on a member server because you just add the account into the local Administrators group. How can you do this on a Domain Controller without adding the account to a group that gives it Administrator access to the Domain also?

--------------------------------------
"Insert funny comment in here!"
--------------------------------------

pgaliardo · Jun 29, 2006

As far as I know, you can't. Once you create a domain controller, the local users option is made unavailable.

ncotton · Jun 29, 2006

PG has nailed it there, once you install the DC role on any machine, it automatically negates the local users. You can't even log on as a local user. What you would have to do is create a new user, and specify neatly the permissions you want to give it. You can specify that a user can only log on to certain computers. So you could create your deprecated admin account for domaincontrollers, then specify they can only access the domain controller machine acocunts.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

pgaliardo · Jun 29, 2006

Yeah, I think Neil has the answer. You have to get creative with your AD Groups and Users. Neil is right, you can give them admin rights, but not allow them to even logon to the DC's they shouldn't be accessing. But creating a local admin is definitely not an option.

ncotton · Jun 29, 2006

Thanks PG.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

TheLad · Jun 29, 2006

Thanks for the answers guys. Just out of interest, what is the difference between the Administrators group found in the Builtin OU and the Domain Admins group?

--------------------------------------
"Insert funny comment in here!"
--------------------------------------

ncotton · Jun 29, 2006

the high level permissions for accessing such services as Active Directory to make edits.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Windows 2003 DC - No Option To Logon To Server 2

llcoolg

Technical User

pgaliardo

MIS

MoobyCow

Technical User

llcoolg

Technical User

TheLad

Technical User

pgaliardo

MIS

ncotton

IS-IT--Management

pgaliardo

MIS

ncotton

IS-IT--Management

TheLad

Technical User

ncotton

IS-IT--Management

Similar threads

Part and Inventory Search

Sponsor