I am setting up a Server 2008 R2 RD Web Access server and I want users to be able to run ADUC without adding them to the server's local administrator group. All the users have the necessary domain rights to use various aspects of ADUC. I plan to add the users to the Remote Desktop Users group with user level access. However, I've been told "if any of the applications require a promoted token to use (like ADUC) in order to get that token, the account used has to be capable of receiving from that server (thus the account has to be a local admin).
Before I start testing, I thought I would see if this state is correct. I've read several other threads that simply disabling UAC on the terminal server will allow a user to run ADUC without being a member of the local admin group. I find it hard to believe that you would have to give everyone local administrative rights in order for them to run ADUC.
