Re: Domain Rights

From: ptwilliams (ptw2001_at_hotmail.com)
Date: 02/10/05 

Date: Thu, 10 Feb 2005 08:31:48 -0000

> And in described above situation we haven't necessary information for
> complete advice, isn't it?

Always very true ;-)

> 2. Don't foget about "dsadd computer ComputerDN". Create simple .BAT file
> and write instruction for technicians.

Yes, that's a good point!! I'm still *too* much of an AD 1.0 man... 

-- 
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
"Burtsev Dmitry" <burtsev@removethispart.km.ru> wrote in message 
news:OL9EdpzDFHA.1260@TK2MSFTNGP12.phx.gbl...
Thanks Tyler and ptwilliams for your comments.
1. I know about Restricted Groups features. But I think this is a good thing
for systems administrators. Ordinary users didn't need local admins
permissions. And in described above situation we haven't necessary
information for complete advice, isn't it?
2. Don't foget about "dsadd computer ComputerDN".  Create simple .BAT file
and write instruction  for technicians.
-- 
Dmitry Burtsev [burtsev@removethis.km.ru]
"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:uq8U3MvDFHA.3376@TK2MSFTNGP12.phx.gbl...
> Good answer!!!
>
> However, I have a minor suggestion with this point:
>
> > 3. Create a new OU for computers. Delegate permissions create/delete
> > computer objects on this OU for IT Techs group.
>
> By default, computers are added to the computers container.  Without some
> kind of script or pre-created accounts this won't work.  A better solution
> would be to grant these permissions to the users container for the group
> that you create.
>
> Also, do consider Tyler's post before implementing Restricted Groups.
Have
> a read on the subject, there were some changes with SP4 and I think
there's
> now a patch that will allow you to merge rather than replace (which was
> default).
>
>
> -- 
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Burtsev Dmitry" <burtsev@removethispart.km.ru> wrote in message
> news:e8nbBgrDFHA.3888@TK2MSFTNGP09.phx.gbl...
> Hello.
> I think this can help you.
> 1. Create a group for IT Techs and add necessary accounts
> 2. Create an OU for users. Move necessary groups to this OU (don't foget
> Domain Users!)
>  Delegate for IT_techs group appopriate permissions (create, delete and
> manage user accounts, reset user passwords, modify the membership of
group).
> Delegation of control wizard will help you.
> 3. Create a new OU for computers. Delegate permissions create/delete
> computer objects on this OU for IT Techs group.
> 4. Create Group policy object on computer OU. In this GPO define
Restricted
> groups policy. Add IT_Techs to local administrators group.  Don't foget
> about domain admins!
> About restricted groups you can read in this articles
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;279301
> http://support.microsoft.com/default.aspx?scid=kb;en-us;810076
>
>
> -- 
> Dmitry Burtsev [burtsev@removethis.km.ru]
>
>
>
> "Kevin" <Kevin@discussions.microsoft.com> wrote in message
> news:06a401c50eb4$28f93510$a401280a@phx.gbl...
> > I want to be able to take our IT Techs out of the Doamin
> > Admin Group but I need a way for these same user to do
> > Administrative tasks.  Our enviroment consist of XP
> > stations and Server 2003 Domain Controller.  The IT Techs
> > need to be able to add and remove computers from the
> > domain, reset passwords and if possible have full access
> > to the local XP stations (Loacl Admins on these boxes?)
> > ADMIN share for remote assistance and other administrative
> > functions.  Is there a way to do this through Group Policy
> > or creatiing another OU and delegating some of these
> > abilities? Thanks in advance
>
>
>

Relevant Pages

  • Re: Domain Rights
    ... computers are added to the computers container. ... Create a group for IT Techs and add necessary accounts ... Delegate permissions create/delete computer objects on this OU for IT Techs group. ... Don't foget about domain admins! ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Rights
    ... Create a group for IT Techs and add necessary accounts ... Create a new OU for computers. ... Delegate permissions create/delete ... The IT Techs> need to be able to add and remove computers from the> domain, reset passwords and if possible have full access> to the local XP stations (Loacl Admins on these boxes?)> ADMIN share for remote assistance and other administrative> functions. ...
    (microsoft.public.windows.server.active_directory)