Re: delegate admin rights to an OU

Hi!

Apparently I missunderstood your question. ;) I believe it can still be done
but not with reasonable amount of work. You would have to create special
group for this user and then create GPO with appropriate user rights set
which would mimic Backup operators, Server operators,... and then apply this
GPO only to one DC (and DC account should not be moved from DC OU). "Add
workstation to domain" can not be limited to single DC. Last task can be
achieved with delegation of control wizard.

Toni

"Tomppa" <tofors99@xxxxxxxxxxx> wrote in message
news:upqXEKODHHA.3660@xxxxxxxxxxxxxxxxxxxxxxx
Yes, but if I put the user in Server operators group, then he can also
adminstrate other DC:s in our domain which I dont want - just the DC in
his own OU

Have I missunderstood something?

Tomppa

"T. Uranjek" <toniuranjek@xxxxxxxxxxx> wrote in message
news:OgzVF6NDHHA.4228@xxxxxxxxxxxxxxxxxxxxxxx
Hi!

- install programs that need local admin rights: Server operators
- take backup: Backup operators, Server operators
- share files: Server operators
- create and share printers: Print operators, Server operators
- add computers to domain: Add workstation to domain user right
- create users, reset password for other users in his OU: delegation of
administrative controll

Add user to Server operator, create GPO to grant user "Add workstation to
domain" and delegate him control for appropriate tasks in OU. I would
suggest using group for delegation and for assignig user rights.

HTH

Toni

"Tomppa" <tofors99@xxxxxxxxxxx> wrote in message
news:uaY1bxNDHHA.4256@xxxxxxxxxxxxxxxxxxxxxxx
Is it possible to give an user in a branch office so much rights with
delegate control and group policies, so he could administrate their DC
without help from the domainadmin?

the local admin should be able to:
- install programs that need local admin rights
- take backup
- share files
- create and share printers
- add computers to domain
- create users, reset password for other users in his OU

Is this possible with a reasonable amount of work?

Tomppa







.

Relevant Pages

  • Re: delegate admin rights to an OU
    ... Yes, but if I put the user in Server operators group, then he can also ... take backup: Backup operators, Server operators ... suggest using group for delegation and for assignig user rights. ... delegate control and group policies, so he could administrate their DC ...
    (microsoft.public.windows.group_policy)
  • Re: restrict reset of Admin Password
    ... Server operators and account operators can not reset or otherwise modify ... could also look into AD delegation at the domain or OU level that will allow ...
    (microsoft.public.win2000.security)
  • Re: permissions for AD environment
    ... Delegation of control, check: ... Some of thier job functions would be adding machines to domain, ... Right now, I have them as Server Operators, primarily for adding ... added to domain go into the computer container and I am not sure what to ...
    (microsoft.public.windows.server.active_directory)
  • Delegation Wizard
    ... delegation wizard trying to understand how to delegate to these users the ... computers OU Built-In or not!! ... **At the same time I have the same situation with server operators; ... to give them the option to be full domain managers in daily basics without ...
    (microsoft.public.win2000.active_directory)