Re: Delegation Wizard
- From: Misaro <Misaro@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 7 Aug 2005 09:15:02 -0700
Hi,
- I found authenticated users in the option "add computers to the domain" so
if I remove authent.Users What would happen ? i have 2 questions
* domain admins by default have no problem.They have full rights on the
domain !
* I have to add a group where I will have my ITS Users. So they could add pc
to the domain ?
Concerned about server operators I mean allow them reset pass,ena/disable
accounts, create GPO , move users, etc. Without allow them to be domain
admins?
Thanks for comments !!
"Jorge_de_Almeida_Pinto" wrote:
> "" wrote:
> > I created an ITS Global Group to allocate its users there, ok
> > I'm in the
> > delegation wizard trying to understand how to delegate to
> > these users the
> > option * add computers to the network* without allow them be
> > account
> > operators. I mean I can't find the right permission that
> > explicit give me
> > that option.?? and where I must to spply the delegaion en el
> > default
> > computers OU Built-In or not !!
> >
> > **At the same time I have the same situation with server
> > operators; I need
> > to give them the option to be full domain managers in daily
> > basics without
> > add them in the gropu domain admins.??
> >
> >
> > Thanks any help about it !!!
>
> First of all open up the Default Domain Controllers Policy, goto
> computer configuration, Windows Settings, Security Settings, Local
> policies, User Rights. In there you will find the user right called
> "Add workstations to the domain " (top of list somewhere). Double
> click it and you probably will see authenticated users listed. Remove
> only the authenticated users from the list. By removing the
> authenticated you are preventing each and every user on your network
> to join up to 10 computers into the domain without you even knowing
> it.
>
> Delegating the creation of computers:
> * Configure the delegation of control wizard as mentioned in the links
> (detailed description on how to)
> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg30509.html
> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg30514.html
> http://www.mail-archive.com/activedir@xxxxxxxxxxxxxxxxxx/msg27124.html
> * Create an separate OU
> * Put all computer accounts that you want to be managed into that OU
> * Created a group that will be able to add computer accounts and join
> them (also as mentioned in the links provided)
> * Delegate the add computer account perms and join computers to the
> group mentioned
>
> Concerning the server operators... what do you mean with dialy basic
> domain tasks? That needs to be clear before a valid answer can be
> given to you?
> For delegating tasks see the following white papers. They are very
> good!
> http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
> http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en
>
> A tip for delegation (per organization this may depend, but this
> should give you a hint how to do it):
> * create separate admin accounts to perform admin tasks
> * Define the admin roles in your organization
> * Define all the admin tasks performed by those roles in your
> organization
> * Create an OU for the Admin roles and the admin tasks
> * Do not delegate the management of the roles and the tasks to groups
> or persons other than the domain admins
> * Create an OU for the Admin accounts
> * Do not delegate the management of the admin accounts to groups or
> persons other than the domain admins
> * Create separate OUan OU for the Admin roles
> * Setup admin roles represented by a security groups in AD
> * Setup all kinds of tasks represented by a security groups in AD
> * Give the task groups the appropriate permissions in AD and on
> servers through the delegation of control wizard and through GPOs
> (restricted groups feature)
> * Make the role groups a member of the apropriate tasks
> * Make the admin accounts a member of the appropriate roles (most of
> the time 1 admin account only has one role assigned)
> * Protect the admin accounts OU, the admin roles and tasks OU
>
> Good luck!
>
> --
> Posted using the http://www.windowsforumz.com interface, at author's request
> Articles individually checked for conformance to usenet standards
> Topic URL: http://www.windowsforumz.com/Active-Directory-Delegation-Wizard-ftopict405229.html
> Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1343468
>
.
- References:
- Delegation Wizard
- From: Misaro
- Re: Delegation Wizard
- From: Jorge_de_Almeida_Pinto
- Delegation Wizard
- Prev by Date: Re: Active Directory Replication Issue
- Next by Date: Default Domain Controllers Group Policy
- Previous by thread: Re: Delegation Wizard
- Next by thread: Root domain controller LDAP Failure
- Index(es):
Relevant Pages
|
Loading
