Share via

Read-Only Domain Admin

Anonymous
2024-02-28T14:45:07+00:00

Long story short, we're having our domain audited for a possible cross-domain project with one of our sister companies. I created a user account for the auditor and added it to the Read-Only Domain Controllers and Remote Desktop Users security groups. The auditor is telling me he can RDP onto the server, but is getting blocked from opening MMC because of UAC password prompts, and that he's unable to access our sub-domains at all. Obviously I don't want to give this guy full-on domain admin rights, but I'm a little green at this level and I don't know what else I need to do to give this guy read-only admin permissions on the top level and to our sub-domains.

Login on DC Server is Ok but when open AD user and Computer console (dsa) show below error. Any insight would be greatly appreciated!

Goal = Active Directory health check with non-admin user

Windows for business Windows Server Directory services Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-02-29T08:39:02+00:00

    Hello safeersaqib,

    Thank you for posting on the Microsoft Community Forum.

    Based on the description "Login on DC Server is Ok but when open AD user and Computer console (dsa) show below error.", please provide this domain user and the password, check if you can open AD Users and Computers.

    If you can not open AD Users and Computers after provide the normale domain user credential.

    To provide auditors with read-only access to Active Directory users and computers and to view subdomain information without giving full domain administrator privileges, you can follow these steps:

    1. Give read-only permissions on the top-level domain: Log in to the domain controller of the top-level domain, locate the Domain Controllers container, and give the auditor account Read All Attributes and Read permissions, which will allow them to view user, computer, and other object information within the domain.
    2. Grant read-only permissions on the subdomain:  Log in to the domain controller of the subdomain and follow the same steps to give the auditor account the same read-only permissions on the objects of the subdomain.
    3. UAC password hint: UAC on domain controllers can be temporarily disabled to allow auditors to perform audits. However, after the audit is complete, be sure to re-enable UAC to maintain the security of your domain controllers. Find User Account Control: Run All Administrators as Administrator under Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and set it to Disabled.
    4. Restart MMC:

    If the UAC password prompt persists, try restarting the MMC.

    I hope the information above is helpful.

     If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    3 people found this answer helpful.
    0 comments