local roles

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008

Manages Administrator Role Separation for a read-only domain controller (RODC). Administrator role separation provides a nonadministrative user with the permissions to install and administer an RODC, without granting that user permissions to do any other type of domain administration.

This command is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the Active Directory Lightweight Directory Services (AD LDS) server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Note

You can use this subcommand only with the AD DS server role because AD LDS does not include RODCs.

Ntdsutil.exe does not handle certain characters in roles names correctly for local roles management. For example, on a French version of Windows, the following command fails:

show role "opérateurs d’impression"

The command fails because the apostrophe character within the role name is not handled correctly by the command-line input. As a workaround, you can manage the RODC local roles mapping directly by using the following registry entry on the RODC:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RODCROLES

Each value corresponds to one local role (the name of the built-in group). The value is the relative ID (RID) (the right-most part of the security identifier (SID)) of the group. You can find the SID value of the group by using the Active Directory Users and Computers snap-in. Right-click the name of the built-in group, click Properties, click the Attribute Editor tab, and look for the objectSid attribute of the group.

To add user accounts to a specific local role

  1. Open Registry Editor and navigate to the RODCROLES subkey.

  2. Right-click the RODCROLES subkey, click New, and then click Multi-String Value.

  3. Type the RID value of the local role. For example, type 548 for the Account Operators group.

  4. Right-click the new value, and then click Modify. Type the SID of the user account that you want to add to that local role. To add multiple user accounts, type each SID on a separate line:

    S-1-5-21-2784665212-3940052439-2066015977-1600

    S-1-5-21-2784665212-3940052439-2066015977-1601

Note

To obtain the SID of a user account, type the following command at an elevated command prompt:
Dsget user <distinguished name of the user account> -sid

  1. Click OK.

To verify the membership of a given user, log on to the RODC as that user, open an elevated command prompt and type whoami /groups.

This issue affects input of all special characters in the ntdsutil: prompt because it does not handle these special characters correctly. As a result, this issue affects all subcommands of Ntdsutil that require special character input.

For examples of how to use this command, see Examples.

Syntax

connections
{add %s1 %s2 | remove %s1 %s2} [list roles] [show roles]

Parameters

Parameter Description

add %s1 %s2

Adds an account %s1 to the local role %s2.

connections

Invokes the server connections submenu.

list roles

List defined local roles. These roles correspond to the various Built-in groups, such as Administrators, Backup Operators, Server Operators, and so on. Each RODC stores in its Registry a list of accounts that should be considered members of those groups (roles) on that RODC. This list of accounts supplements any members of those groups stored in the directory. For example, suppose the BUILTIN\Administrators group stored in the directory contains a single member, the Domain Admins group. Suppose also that on a particular RODC, fabrikam\MikeDan is listed in the Administrators local role. Then on that RODC, both MikeDan and anyone in the Domain Admins group are considered to be Administrators.

remove %s1 %s2

Removes an account %s1 to the local role %s2.

show roles

Shows local role members

quit

Takes you back to the previous menu or exits the tool.

?

Displays help at the command prompt.

Help

Displays help at the command prompt.

Remarks

  • To initially configure Administrator Role Separation for an RODC, you must be a member of the Domain Admins group.

  • By default, no local administrator role is defined on the RODC after AD DS installation.

  • By default, the local roles subcommand is performed on the RODC where you run the command. If you need to connect to a different RODC, use the connections parameter.

Examples

To add a user account named MikeDan from the Contoso domain to the administrators local role on an RODC, type:

add CONTOSO\MikeDan administrators

Additional references

Command-Line Syntax Key

Dsmgmt

Ntdsutil

authoritative restore

configurable settings

DS behavior

files

group membership evaluation

ifm

LDAP policies

metadata cleanup

partition management

roles

security account management

semantic database analysis

set DSRM password

snapshot