Re: Domain Rights
From: ptwilliams (ptw2001_at_hotmail.com)
Date: 02/09/05
- Next message: google_at_westernwares.com: "Re: Disjoin and rejoin domain loses user profile?"
- Previous message: ptwilliams: "Re: Turning on Password Policy"
- In reply to: Burtsev Dmitry: "Re: Domain Rights"
- Next in thread: Burtsev Dmitry: "Re: Domain Rights"
- Reply: Burtsev Dmitry: "Re: Domain Rights"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 9 Feb 2005 22:06:35 -0000
Good answer!!!
However, I have a minor suggestion with this point:
> 3. Create a new OU for computers. Delegate permissions create/delete
> computer objects on this OU for IT Techs group.
By default, computers are added to the computers container. Without some
kind of script or pre-created accounts this won't work. A better solution
would be to grant these permissions to the users container for the group
that you create.
Also, do consider Tyler's post before implementing Restricted Groups. Have
a read on the subject, there were some changes with SP4 and I think there's
now a patch that will allow you to merge rather than replace (which was
default).
-- Paul Williams http://www.msresource.net/ http://forums.msresource.net/ "Burtsev Dmitry" <burtsev@removethispart.km.ru> wrote in message news:e8nbBgrDFHA.3888@TK2MSFTNGP09.phx.gbl... Hello. I think this can help you. 1. Create a group for IT Techs and add necessary accounts 2. Create an OU for users. Move necessary groups to this OU (don't foget Domain Users!) Delegate for IT_techs group appopriate permissions (create, delete and manage user accounts, reset user passwords, modify the membership of group). Delegation of control wizard will help you. 3. Create a new OU for computers. Delegate permissions create/delete computer objects on this OU for IT Techs group. 4. Create Group policy object on computer OU. In this GPO define Restricted groups policy. Add IT_Techs to local administrators group. Don't foget about domain admins! About restricted groups you can read in this articles http://support.microsoft.com/default.aspx?scid=kb;en-us;279301 http://support.microsoft.com/default.aspx?scid=kb;en-us;810076 -- Dmitry Burtsev [burtsev@removethis.km.ru] "Kevin" <Kevin@discussions.microsoft.com> wrote in message news:06a401c50eb4$28f93510$a401280a@phx.gbl... > I want to be able to take our IT Techs out of the Doamin > Admin Group but I need a way for these same user to do > Administrative tasks. Our enviroment consist of XP > stations and Server 2003 Domain Controller. The IT Techs > need to be able to add and remove computers from the > domain, reset passwords and if possible have full access > to the local XP stations (Loacl Admins on these boxes?) > ADMIN share for remote assistance and other administrative > functions. Is there a way to do this through Group Policy > or creatiing another OU and delegating some of these > abilities? Thanks in advance
- Next message: google_at_westernwares.com: "Re: Disjoin and rejoin domain loses user profile?"
- Previous message: ptwilliams: "Re: Turning on Password Policy"
- In reply to: Burtsev Dmitry: "Re: Domain Rights"
- Next in thread: Burtsev Dmitry: "Re: Domain Rights"
- Reply: Burtsev Dmitry: "Re: Domain Rights"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
