Block access to ADUC

[nhidalgo]

I have an application that runs on a domain controller that requires admin rights locally for a user to run it. We have the user added to the built in administrators group on the domain, but they then have access to our AD console. How can i remove this right so they cannot open active directory users and computers console.
THanks
Nick

 

[Davetoo]

They can open it, but they can't do anything with it.

Anyone can download and run the MSC on their local machines, but they can't do anything with the information other than view it.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[ITPangaeaArchitect]

wait you have some app running on a DC (shame shame) that you gave a normal user administrator group membership in order for them to run it? is that right? you need to cut that junk out asap.

You will NOT be able to restrict this user without also restricting yourself.

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[Councilk]

I agree, this application should run on a terminal or other member server. It's probably a poorly written application, or assumptions have been made that it has to run on a DC