Re: Domain Rights
From: Burtsev Dmitry (burtsev_at_removethispart.km.ru)
Date: 02/10/05
- Next message: motila: "Join domain issue"
- Previous message: Herb Martin: "Re: Best Practice?"
- In reply to: ptwilliams: "Re: Domain Rights"
- Next in thread: ptwilliams: "Re: Domain Rights"
- Reply: ptwilliams: "Re: Domain Rights"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 10 Feb 2005 09:32:56 +0300
Thanks Tyler and ptwilliams for your comments.
1. I know about Restricted Groups features. But I think this is a good thing
for systems administrators. Ordinary users didn't need local admins
permissions. And in described above situation we haven't necessary
information for complete advice, isn't it?
2. Don't foget about "dsadd computer ComputerDN". Create simple .BAT file
and write instruction for technicians.
-- Dmitry Burtsev [burtsev@removethis.km.ru] "ptwilliams" <ptw2001@hotmail.com> wrote in message news:uq8U3MvDFHA.3376@TK2MSFTNGP12.phx.gbl... > Good answer!!! > > However, I have a minor suggestion with this point: > > > 3. Create a new OU for computers. Delegate permissions create/delete > > computer objects on this OU for IT Techs group. > > By default, computers are added to the computers container. Without some > kind of script or pre-created accounts this won't work. A better solution > would be to grant these permissions to the users container for the group > that you create. > > Also, do consider Tyler's post before implementing Restricted Groups. Have > a read on the subject, there were some changes with SP4 and I think there's > now a patch that will allow you to merge rather than replace (which was > default). > > > -- > > Paul Williams > > http://www.msresource.net/ > http://forums.msresource.net/ > > "Burtsev Dmitry" <burtsev@removethispart.km.ru> wrote in message > news:e8nbBgrDFHA.3888@TK2MSFTNGP09.phx.gbl... > Hello. > I think this can help you. > 1. Create a group for IT Techs and add necessary accounts > 2. Create an OU for users. Move necessary groups to this OU (don't foget > Domain Users!) > Delegate for IT_techs group appopriate permissions (create, delete and > manage user accounts, reset user passwords, modify the membership of group). > Delegation of control wizard will help you. > 3. Create a new OU for computers. Delegate permissions create/delete > computer objects on this OU for IT Techs group. > 4. Create Group policy object on computer OU. In this GPO define Restricted > groups policy. Add IT_Techs to local administrators group. Don't foget > about domain admins! > About restricted groups you can read in this articles > > http://support.microsoft.com/default.aspx?scid=kb;en-us;279301 > http://support.microsoft.com/default.aspx?scid=kb;en-us;810076 > > > -- > Dmitry Burtsev [burtsev@removethis.km.ru] > > > > "Kevin" <Kevin@discussions.microsoft.com> wrote in message > news:06a401c50eb4$28f93510$a401280a@phx.gbl... > > I want to be able to take our IT Techs out of the Doamin > > Admin Group but I need a way for these same user to do > > Administrative tasks. Our enviroment consist of XP > > stations and Server 2003 Domain Controller. The IT Techs > > need to be able to add and remove computers from the > > domain, reset passwords and if possible have full access > > to the local XP stations (Loacl Admins on these boxes?) > > ADMIN share for remote assistance and other administrative > > functions. Is there a way to do this through Group Policy > > or creatiing another OU and delegating some of these > > abilities? Thanks in advance > > >
- Next message: motila: "Join domain issue"
- Previous message: Herb Martin: "Re: Best Practice?"
- In reply to: ptwilliams: "Re: Domain Rights"
- Next in thread: ptwilliams: "Re: Domain Rights"
- Reply: ptwilliams: "Re: Domain Rights"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
