Updated: April 17, 2012
Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8
Manages Administrator Role Separation for a read-only domain controller (RODC). Administrator role separation provides a nonadministrative user with the permissions to install and administer an RODC, without granting that user permissions to do any other type of domain administration.
This command is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the Active Directory Lightweight Directory Services (AD LDS) server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813).
To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
You can use this subcommand only with the AD DS server role because AD LDS does not include RODCs.
Ntdsutil.exe does not handle certain characters in roles names correctly for local roles management. For example, on a French version of Windows, the following command fails:
show role "opérateurs d’impression"
The command fails because the apostrophe character within the role name is not handled correctly by the command-line input. As a workaround, you can manage the RODC local roles mapping directly by using the following registry entry on the RODC:
Each value corresponds to one local role (the name of the built-in group). The value is the relative ID (RID) (the right-most part of the security identifier (SID)) of the group. You can find the SID value of the group by using the Active Directory Users and Computers snap-in. Right-click the name of the built-in group, click Properties, click the Attribute Editor tab, and look for the objectSid attribute of the group.
To add user accounts to a specific local role
Open Registry Editor and navigate to the RODCROLES subkey.
Right-click the RODCROLES subkey, click New, and then click Multi-String Value.
Type the RID value of the local role. For example, type 548 for the Account Operators group.
Right-click the new value, and then click Modify. Type the SID of the user account that you want to add to that local role. To add multiple user accounts, type each SID on a separate line:
To obtain the SID of a user account, type the following command at an elevated command prompt:
Dsget user <distinguished name of the user account> -sid
To verify the membership of a given user, log on to the RODC as that user, open an elevated command prompt and type whoami /groups.
This issue affects input of all special characters in the ntdsutil: prompt because it does not handle these special characters correctly. As a result, this issue affects all subcommands of Ntdsutil that require special character input.
For examples of how to use this command, see Examples.
add %s1 %s2
Adds an account %s1 to the local role %s2.
Invokes the server connections submenu.
List defined local roles. These roles correspond to the various Built-in groups, such as Administrators, Backup Operators, Server Operators, and so on. Each RODC stores in its Registry a list of accounts that should be considered members of those groups (roles) on that RODC. This list of accounts supplements any members of those groups stored in the directory. For example, suppose the BUILTIN\Administrators group stored in the directory contains a single member, the Domain Admins group. Suppose also that on a particular RODC, fabrikam\MikeDan is listed in the Administrators local role. Then on that RODC, both MikeDan and anyone in the Domain Admins group are considered to be Administrators.
remove %s1 %s2
Removes an account %s1 to the local role %s2.
Shows local role members
Takes you back to the previous menu or exits the tool.
Displays help at the command prompt.
Displays help at the command prompt.
To initially configure Administrator Role Separation for an RODC, you must be a member of the Domain Admins group.
By default, no local administrator role is defined on the RODC after AD DS installation.
By default, the local roles subcommand is performed on the RODC where you run the command. If you need to connect to a different RODC, use the connections parameter.
To add a user account named MikeDan from the Contoso domain to the administrators local role on an RODC, type:
add CONTOSO\MikeDan administrators