RE: Allowing Remote Admin Some Control

You should create an OU for that location, and delegate full control
permission to him for that OU. He will only be able to create/delete/change
objects within that OU. You will need to move any existing objects for that
location into the newly created OU (if you want him to have access to them).
This scenario will only allow him to join computers to the domain if he first
creates a computer account in the location's OU, then joins the computer to
the domain. This is because he will not have permissions on the default
"Computers" container. This will not give him local administrator rights on
the workstations. If you need to give him local admin rights on the
workstations, then you will need to use a group policy on the OU. The
section that you use in Group Policy is called "Restricted Groups." It
allows you to force a user or group into the local admins group of the
workstation within the OU. One issue that you still have to address is his
access to the server. If the server is a DC, then you will have to grant him
rights to logon locally. I don't suggest this, but if you don't have a
member server to share files from then I guess you have to do what you have
to do. Good luck!!

"Kory" wrote:

> Ok. I have Windows 2000 AD and I have 5 locations. All locations are
> configured as part of the same domain. Now we are hiring a consultant for
> one location to do some dirty work. This guy should have access to the
> server, should be able to install printers on server. Now thats probably
> the easy part. Now, how can I get this guy to be able to create users and
> join computers to domain, but I want him to be restricted only to that
> location. Is that possible? I'm afraid if I give this guy Admin
> privilages, he might do some damage to the rest of the network.
> Can someone advise?
>
>
>
.

Relevant Pages

  • Re: Allowing Remote Admin Some Control
    ... > This scenario will only allow him to join computers to the domain if he ... If you need to give him local admin rights on the ... > workstations, then you will need to use a group policy on the OU. ... If the server is a DC, then you will have to grant ...
    (microsoft.public.windows.server.active_directory)
  • Re: File Sharing
    ... permission to use this network resource. ... server to find out if you have access permissions. ... computers if I shut down the respective computers and reboot. ... Using XP Home and XP Media on new HP Laptop ...
    (microsoft.public.windowsxp.network_web)
  • Re: 2003 Server DNS security
    ... Local admin gives him permissions on DNS but also gives him permission (as ... >> There is no security tab (server not running AD integrated zones). ...
    (microsoft.public.windows.server.dns)
  • Re: Cannot open your default e-mail folders in Outlook
    ... Any permission on user's AD account we can look into? ... The user got the same error when he tried to access the Outlook on ... Terminal server as well. ... Try granting the user local admin rights once and let him run Outlook once to make sure there isn't a problem with the way it was installed. ...
    (microsoft.public.exchange.admin)
  • Windows XP Home Network
    ... I have a home network with DSL service coming through a 2Wire router that is ... I have three computers on the network connected through ... You might not have permission to use this ... Contact the administrator of the server to find out if you ...
    (microsoft.public.windowsxp.network_web)
Quantcast