Re: Allowing Remote Admin Some Control
- From: "Jimmy Andersson [MVP]" <jimmy_NO_SPAM_@xxxxxxxx>
- Date: Fri, 13 May 2005 10:26:14 +0200
"Best practices for delegation AD administration":
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerWhitepapers/9622E27E-AC49-49E2-9047-319B6A81DF9D.mspx
Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------
"Ele7eN" <Ele7eN@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D7023C66-54A3-4160-A289-E57D7676A137@xxxxxxxxxxxxxxxx
> You should create an OU for that location, and delegate full control
> permission to him for that OU. He will only be able to
> create/delete/change
> objects within that OU. You will need to move any existing objects for
> that
> location into the newly created OU (if you want him to have access to
> them).
> This scenario will only allow him to join computers to the domain if he
> first
> creates a computer account in the location's OU, then joins the computer
> to
> the domain. This is because he will not have permissions on the default
> "Computers" container. This will not give him local administrator rights
> on
> the workstations. If you need to give him local admin rights on the
> workstations, then you will need to use a group policy on the OU. The
> section that you use in Group Policy is called "Restricted Groups." It
> allows you to force a user or group into the local admins group of the
> workstation within the OU. One issue that you still have to address is
> his
> access to the server. If the server is a DC, then you will have to grant
> him
> rights to logon locally. I don't suggest this, but if you don't have a
> member server to share files from then I guess you have to do what you
> have
> to do. Good luck!!
>
> "Kory" wrote:
>
>> Ok. I have Windows 2000 AD and I have 5 locations. All locations are
>> configured as part of the same domain. Now we are hiring a consultant
>> for
>> one location to do some dirty work. This guy should have access to the
>> server, should be able to install printers on server. Now thats probably
>> the easy part. Now, how can I get this guy to be able to create users
>> and
>> join computers to domain, but I want him to be restricted only to that
>> location. Is that possible? I'm afraid if I give this guy Admin
>> privilages, he might do some damage to the rest of the network.
>> Can someone advise?
>>
>>
>>
.
- References:
- Allowing Remote Admin Some Control
- From: Kory
- RE: Allowing Remote Admin Some Control
- From: Ele7eN
- Allowing Remote Admin Some Control
- Prev by Date: Re: Manager can update membership list - Managed by Tab
- Next by Date: Outside Domian Authentication
- Previous by thread: RE: Allowing Remote Admin Some Control
- Next by thread: Re: Allowing Remote Admin Some Control
- Index(es):
Relevant Pages
|
