Re: OU Delegation
From: Fred Yarbrough (fcyarbrough_at_yahoo.com)
Date: 12/17/04
- Next message: traycoop_at_hotmail.com: "Re: Group Policy Software Installation"
- Previous message: Yor Suiris: "Dead DC vs FSMO"
- In reply to: Desmond Lee: "Re: OU Delegation"
- Next in thread: Desmond Lee: "Re: OU Delegation"
- Reply: Desmond Lee: "Re: OU Delegation"
- Reply: Herb Martin: "Re: OU Delegation"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 17 Dec 2004 16:17:51 -0600
Ok. I sorta get that feeling. How is the best way to allow a user to be
the Administraor for a remote site? Is the fact that I am wanting to all
them access to login to the DC the issue here?
Thanks,
Fred
"Desmond Lee" <mcp@donotspamplease.mars> wrote in message
news:93E01B0B-52A4-4D6F-8B59-FBD6E78D4597@microsoft.com...
>
> > machines within their realm. I have moved the DC into their site's
> OU and
> > set a Logon Locally privilege for the admin in that OU's policy. I
> will
>
> It is discouraged to move a DC out of the default "Domain Controllers" OU,
> as erratic behavior have been reported. Besides, this may cause unexpected
> support issues.
>
>
> "Fred Yarbrough" wrote:
>
> > Herb,
> > Understood somewhat. I figured that the Log On Locally privilege
was
> > the probable issue here. I guess that the fact that this is a DC and
not
> > just a normal server with a Local Security Settings is what is somewhat
> > perplexing me. I only want this site Admin to be able to Administer
> > machines within their realm. I have moved the DC into their site's OU
and
> > set a Logon Locally privilege for the admin in that OU's policy. I will
> > have to check and see if this works.
> >
> > On another note, I would also like for this Admin to have Administrator
> > privileges on each machine within their OU. Is this possible through
> > policies?
> >
> >
> > Thanks,
> > Fred
> >
> >
> >
> > "Herb Martin" <news@LearnQuick.com> wrote in message
> > news:OSOAvoH5EHA.2124@TK2MSFTNGP15.phx.gbl...
> > > "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
> > > news:O5XXbtF5EHA.1300@TK2MSFTNGP14.phx.gbl...
> > > >
> > > >
> > > > PROBLEM:
> > > > I need to allow their onsite admin to be able to administrator
their
> > OU.
> > >
> > > > They need to be able to login to the DC and do things and to perform
> > basic
> > > > administrator functions for their site. I added this user to the
> > Delegate
> > > > Control function for their OU but it does not seem to allow them to
> > login
> > > to
> > > > the DC.
> > >
> > > Usually that isn't directly related to OU delegation (which
> > > allows for adding/removing/resetting accounts/passwords
> > > in the OU but not necessarily logging onto the computers.
> > >
> > > To allow Logon to the DC, you will have to either add the
> > > user to a group with this privilege (e.g., Domain Admins,
> > > Server Operators, etc.) or create a group for the explicit
> > > purpose and give it the necessary privileges.
> > >
> > > > Is there something special that I must do to permit this? The DC
> > > > is also used for some minor file sharing. In the past this admin
was
> > just
> > > > granted Domain Administrator rights but I am trying to reduce their
> > > > privileges to only allow them to administrator their own OU.
> > >
> > > Delegating the OU (control of the AD objects) and making
> > > someone a server or even domain admin are two separate
> > > issues.
> > >
> > >
> > > --
> > > Herb Martin
> > >
> > >
> > > >
> > > > Thanks,
> > > > Fred
> > > >
> > > >
> > >
> > >
> >
> >
> >
- Next message: traycoop_at_hotmail.com: "Re: Group Policy Software Installation"
- Previous message: Yor Suiris: "Dead DC vs FSMO"
- In reply to: Desmond Lee: "Re: OU Delegation"
- Next in thread: Desmond Lee: "Re: OU Delegation"
- Reply: Desmond Lee: "Re: OU Delegation"
- Reply: Herb Martin: "Re: OU Delegation"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
