Re: Remove Domain Admins ability from "Delegation Of Control"

Hey Jorge,

The reason is purely political. We are setting up a trust between a
partner and i do not want the domain admins adding themselves to the
restricted group which in turn will be a member of a local security
group on the trusting domain. I agree, i would of thought that it
couldnt be done, as you would only place trusted parties in Domain
Admins, but quouting from microsoft:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx

"This document provides three delegation examples using the Delegation
of Control wizard in the Active Directory Users and Computers Microsoft
Management Console (MMC) snap-in. They include:

Delegate complete control of an OU.
Delegate creation and deletion of users within an OU.
Delegate resetting of passwords for all users in an OU.
Prerequisites
Part 1: Installing Windows Server 2003 as a Domain Controller
Step-by-Step Guide to Managing Active Directory
Guide Requirements
To perform these procedures, you must be a member of the Domain Admins
group or the Enterprise Admins group in Active Directory, or you must
have been delegated the appropriate authority. In addition to
implementing the common infrastructure, the following steps must be
completed.
"
To me this reads as, along with Domain Admins and Enterprise Admins any
one who is delegated the appropriate permission can use the Delegation
of Control.

thanks again

.

Relevant Pages

  • Re: Certain Accounts can only be unlocked by Domain Admins
    ... The delegated user/group has been given delegation to the domain. ... Windows accounts with Domain Admins rights can only be unlocked by Domain Admins. ... Our Help Desk personnels can unlock any accounts but the ones with Domain Admins rights. ... Under security settings, the Help Desk has Full Control to User objects, don't have the ability to unlock Domain Admin accounts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security permissions bug or inheritant permissions??
    ... Take a look at the Delegation Whitepaper at MS Downloads. ... > We use delegated rights for other people in the IS department (for handling ... > to shrink our domain admin memberships. ... remove them from the domain admins group and use delegation to ...
    (microsoft.public.win2000.active_directory)
  • Re: AD permissions
    ... > In my windows 2003 server Active Directory domain I ... > domain admins so they can add computers to domains etc. ... I have looked into delegation of control ... I once had a customer where they had a lot of domain admins and account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Remove Domain Admins ability from "Delegation Of Control"
    ... This delegation should only work if you have the security credentials to ... Another thing that would come along as you start to play with permissions ... > of Control wizard in the Active Directory Users and Computers Microsoft ... you must be a member of the Domain Admins ...
    (microsoft.public.win2000.active_directory)
  • Re: Active Directory Permissions
    ... them having full control. ... Active Directory and with it Win2000/2003 server contain numerous ... features designed specifically to allow for the appropriate delegation ... Users" that have read only access to the DHCP and WINS console ...
    (microsoft.public.win2000.active_directory)