Re: OU Delegation

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Fred Yarbrough (fcyarbrough_at_yahoo.com)
Date: 12/17/04 

Date: Fri, 17 Dec 2004 15:38:30 -0600

Herb,
    Understood somewhat. I figured that the Log On Locally privilege was
the probable issue here. I guess that the fact that this is a DC and not
just a normal server with a Local Security Settings is what is somewhat
perplexing me. I only want this site Admin to be able to Administer
machines within their realm. I have moved the DC into their site's OU and
set a Logon Locally privilege for the admin in that OU's policy. I will
have to check and see if this works.

On another note, I would also like for this Admin to have Administrator
privileges on each machine within their OU. Is this possible through
policies?

Thanks,
Fred

"Herb Martin" <news@LearnQuick.com> wrote in message
news:OSOAvoH5EHA.2124@TK2MSFTNGP15.phx.gbl...
> "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
> news:O5XXbtF5EHA.1300@TK2MSFTNGP14.phx.gbl...
> >
> >
> > PROBLEM:
> > I need to allow their onsite admin to be able to administrator their
OU.
>
> > They need to be able to login to the DC and do things and to perform
basic
> > administrator functions for their site. I added this user to the
Delegate
> > Control function for their OU but it does not seem to allow them to
login
> to
> > the DC.
>
> Usually that isn't directly related to OU delegation (which
> allows for adding/removing/resetting accounts/passwords
> in the OU but not necessarily logging onto the computers.
>
> To allow Logon to the DC, you will have to either add the
> user to a group with this privilege (e.g., Domain Admins,
> Server Operators, etc.) or create a group for the explicit
> purpose and give it the necessary privileges.
>
> > Is there something special that I must do to permit this? The DC
> > is also used for some minor file sharing. In the past this admin was
just
> > granted Domain Administrator rights but I am trying to reduce their
> > privileges to only allow them to administrator their own OU.
>
> Delegating the OU (control of the AD objects) and making
> someone a server or even domain admin are two separate
> issues.
>
>
> --
> Herb Martin
>
>
> >
> > Thanks,
> > Fred
> >
> >
>
>

Relevant Pages

  • Re: OU Delegation
    ... I only want this site Admin to be able to Administer ... set a Logon Locally privilege for the admin in that OU's policy. ... I would also like for this Admin to have Administrator ...
    (microsoft.public.win2000.security)
  • Re: SE_ASSIGNPRIMARYTOKEN_NAME
    ... |>instead install a service or perhaps create another administrator account ... admin account to do this, just leave it as "local service" should work, since by default, "local service" and "network ... service" does have this privilege granted. ...
    (microsoft.public.platformsdk.security)
  • Re: Lost admin priviledges
    ... from an account that already has admin privilege. ... (eg, Administrator) ...
    (microsoft.public.security)
  • RE: Impact of removing administrative rights in an enterprise running XP
    ... Microsoft needed the user to have admin rights in order to fix the problem. ... Impact of removing administrative rights in an enterprise ... Aside from the effort to inventory all applications and ensure that ... You would be surprised the apps that require privilege to run... ...
    (Focus-Microsoft)
  • Re: Installation error, do not have rights to install update
    ... Do you mean that privilege is only available to Exchange Enterprise Admins? ... Are you logged on as Exchange enterprise admin? ... > The manage auditing and security log rights have Exchange Enterprise ... >>> Am trying to install the latest round of patches. ...
    (microsoft.public.windowsupdate)