Re: OU Delegation
From: Fred Yarbrough (fcyarbrough_at_yahoo.com)
Date: 12/20/04
- Next message: Allison: "WINS settings"
- Previous message: Laura A. Robinson: "Re: GPO, MSI, Elevated Priviledges"
- In reply to: Steven L Umbach: "Re: OU Delegation"
- Next in thread: Steven L Umbach: "Re: OU Delegation"
- Reply: Steven L Umbach: "Re: OU Delegation"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 20 Dec 2004 10:55:23 -0600
I can see the local policy running the secpol.msc but I cannot make a change
to it. I guess that I will make the Child OU under the Domain Controller OU
and set the policy there.
Thanks to all.
Fred
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:NMKwd.212106$V41.118082@attbi_s52...
> Your reason for moving the dc into the OU being delegated would not really
> give you much. For instance it will not allow the users delegated
authority
> to the OU domain admin like access to the domain controller for things
like
> changing networking configuration, configuring Local Security Policy,
> starting and stopping services [though that can be configured via Group
> Policy] , or installing software. If you grant logon locally access to
> Domain Controller Security Policy it would allow a user to logon to all
> domain controllers in a default installation. You could create a child OU
of
> the domain controller's container with it's own GPO to configure the user
> right for logon locally that would apply to just domain controllers in
that
> child OU. All other Domain Controller Security Policy would still apply to
> that child OU other than settings you define in the GPO for that child OU
> such as logon locally. In fact that could be the only setting you define
in
> the GPO for the child OU. There is a Local Security Policy for all Windows
> 2003 computers. That made it harder to find compared to W2K but secpol.msc
> will bring it up. --- Steve
>
>
> "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
> news:OcXhS5H5EHA.1452@TK2MSFTNGP11.phx.gbl...
> > Steven,
> > Thanks for the response. I am talking about a W2K3 Native Mode AD
> > implementation here. I had the same thoughts as you on moving the DC
from
> > the default Domain Controller OU. The reason that I did move this DC to
> > their site OU was in hopes that I could define an OU policy that would
> > limit
> > what the Admin could do to only their OU. If I attempt to grant a Logon
> > Locally privilege back at the Domain Controller OU they have this right
on
> > all other DC's too. Does this make sense?
> >
> > Since this is a DC, there is no Local Security Policy that I can find.
> >
> > I am well versed with permissions but don't have a clue with this policy
> > and
> > OU delegation stuff.
> >
> >
> > Thanks,
> > Fred
> >
> >
> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> > news:IHEwd.210034$V41.60437@attbi_s52...
> >> Normally it is not a good idea to move a domain controller out of the
> > domain
> >> controller container for the sake of consistent application of security
> >> policy. In a default AD domain you would have to add the "delegated"
user
> > to
> >> the right to logon locally in Domain Controller Security Policy. If you
> > have
> >> Domain Controller Security Policy linked to that OU and applied to your
> >> dc
> >> then that is where you should configure it. Otherwise check the Local
> >> Security Policy on the domain controller for the user right to logon
> >> locally. You will still find that he has limited access to the dc
itself.
> >> You still need to be a domain admin to do things like change tcp/ip
> >> configuration on the domain controller. --- Steve
> >>
> >>
> >> "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
> >> news:O5XXbtF5EHA.1300@TK2MSFTNGP14.phx.gbl...
> >> >
> >> > BACKGROUND:
> >> > We have a sister company in Knoxville (connected to us via a WAN
link)
> > who
> >> > uses our domain. We located a DC there and they have a couple of
other
> >> > file
> >> > and printer sharing machines too. I created them an OU for their
site
> > and
> >> > added their users, computers, DC, and servers to this OU. This all
> > works
> >> > like a champ.
> >> >
> >> >
> >> > PROBLEM:
> >> > I need to allow their onsite admin to be able to administrator their
> > OU.
> >> > They need to be able to login to the DC and do things and to perform
> > basic
> >> > administrator functions for their site. I added this user to the
> > Delegate
> >> > Control function for their OU but it does not seem to allow them to
> > login
> >> > to
> >> > the DC. Is there something special that I must do to permit this?
The
> > DC
> >> > is also used for some minor file sharing. In the past this admin was
> > just
> >> > granted Domain Administrator rights but I am trying to reduce their
> >> > privileges to only allow them to administrator their own OU.
> >> >
> >> > Thanks,
> >> > Fred
> >> >
> >> >
> >>
> >>
> >
> >
>
>
- Next message: Allison: "WINS settings"
- Previous message: Laura A. Robinson: "Re: GPO, MSI, Elevated Priviledges"
- In reply to: Steven L Umbach: "Re: OU Delegation"
- Next in thread: Steven L Umbach: "Re: OU Delegation"
- Reply: Steven L Umbach: "Re: OU Delegation"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
