Re: OU Delegation

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 12/18/04 

Date: Sat, 18 Dec 2004 00:24:13 GMT

Your reason for moving the dc into the OU being delegated would not really
give you much. For instance it will not allow the users delegated authority
to the OU domain admin like access to the domain controller for things like
changing networking configuration, configuring Local Security Policy,
starting and stopping services [though that can be configured via Group
Policy] , or installing software. If you grant logon locally access to
Domain Controller Security Policy it would allow a user to logon to all
domain controllers in a default installation. You could create a child OU of
the domain controller's container with it's own GPO to configure the user
right for logon locally that would apply to just domain controllers in that
child OU. All other Domain Controller Security Policy would still apply to
that child OU other than settings you define in the GPO for that child OU
such as logon locally. In fact that could be the only setting you define in
the GPO for the child OU. There is a Local Security Policy for all Windows
2003 computers. That made it harder to find compared to W2K but secpol.msc
will bring it up. --- Steve

"Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
news:OcXhS5H5EHA.1452@TK2MSFTNGP11.phx.gbl...
> Steven,
> Thanks for the response. I am talking about a W2K3 Native Mode AD
> implementation here. I had the same thoughts as you on moving the DC from
> the default Domain Controller OU. The reason that I did move this DC to
> their site OU was in hopes that I could define an OU policy that would
> limit
> what the Admin could do to only their OU. If I attempt to grant a Logon
> Locally privilege back at the Domain Controller OU they have this right on
> all other DC's too. Does this make sense?
>
> Since this is a DC, there is no Local Security Policy that I can find.
>
> I am well versed with permissions but don't have a clue with this policy
> and
> OU delegation stuff.
>
>
> Thanks,
> Fred
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:IHEwd.210034$V41.60437@attbi_s52...
>> Normally it is not a good idea to move a domain controller out of the
> domain
>> controller container for the sake of consistent application of security
>> policy. In a default AD domain you would have to add the "delegated" user
> to
>> the right to logon locally in Domain Controller Security Policy. If you
> have
>> Domain Controller Security Policy linked to that OU and applied to your
>> dc
>> then that is where you should configure it. Otherwise check the Local
>> Security Policy on the domain controller for the user right to logon
>> locally. You will still find that he has limited access to the dc itself.
>> You still need to be a domain admin to do things like change tcp/ip
>> configuration on the domain controller. --- Steve
>>
>>
>> "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
>> news:O5XXbtF5EHA.1300@TK2MSFTNGP14.phx.gbl...
>> >
>> > BACKGROUND:
>> > We have a sister company in Knoxville (connected to us via a WAN link)
> who
>> > uses our domain. We located a DC there and they have a couple of other
>> > file
>> > and printer sharing machines too. I created them an OU for their site
> and
>> > added their users, computers, DC, and servers to this OU. This all
> works
>> > like a champ.
>> >
>> >
>> > PROBLEM:
>> > I need to allow their onsite admin to be able to administrator their
> OU.
>> > They need to be able to login to the DC and do things and to perform
> basic
>> > administrator functions for their site. I added this user to the
> Delegate
>> > Control function for their OU but it does not seem to allow them to
> login
>> > to
>> > the DC. Is there something special that I must do to permit this? The
> DC
>> > is also used for some minor file sharing. In the past this admin was
> just
>> > granted Domain Administrator rights but I am trying to reduce their
>> > privileges to only allow them to administrator their own OU.
>> >
>> > Thanks,
>> > Fred
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: OU Delegation
    ... Domain Controller Security Policy it would allow a user to logon to all ... You could create a child OU of ... > OU delegation stuff. ...
    (microsoft.public.win2000.security)
  • Re: OU Delegation
    ... If you can not change Local Security Policy then their is another ... I guess that I will make the Child OU under the Domain Controller ... >> changing networking configuration, configuring Local Security Policy, ...
    (microsoft.public.win2000.active_directory)
  • Re: OU Delegation
    ... If you can not change Local Security Policy then their is another ... I guess that I will make the Child OU under the Domain Controller ... >> changing networking configuration, configuring Local Security Policy, ...
    (microsoft.public.win2000.security)
  • Re: Domain users unable to change password
    ... As I indicated, if the user logs onto the domain using an ICA or RDP client, ... I did notice that the Security Policy Setting for "Additional restrictions ... > Check their user accounts in AD Users and Computer to make sure that they ... > 2003 domain controller try running the Resultant Set of Policy mmc snapin ...
    (microsoft.public.windows.group_policy)
  • Re: OU Delegation
    ... I forgot to add that adding a user to user rights [privileges] or privileged ... > to Domain Controller Security Policy it would allow a user to logon to all ... You could create a child OU ... All other Domain Controller Security Policy would still ...
    (microsoft.public.win2000.active_directory)