Re: Allowing Remote Admin Some Control

Question, I delegated control to that OU just like you recommend, but how
can I check what was delegated? I loged in with his account and checked if
it worked properly and it did, but can't find that propertie page that shows
what was delegated.


"Ele7eN" <Ele7eN@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D7023C66-54A3-4160-A289-E57D7676A137@xxxxxxxxxxxxxxxx
> You should create an OU for that location, and delegate full control
> permission to him for that OU. He will only be able to
create/delete/change
> objects within that OU. You will need to move any existing objects for
that
> location into the newly created OU (if you want him to have access to
them).
> This scenario will only allow him to join computers to the domain if he
first
> creates a computer account in the location's OU, then joins the computer
to
> the domain. This is because he will not have permissions on the default
> "Computers" container. This will not give him local administrator rights
on
> the workstations. If you need to give him local admin rights on the
> workstations, then you will need to use a group policy on the OU. The
> section that you use in Group Policy is called "Restricted Groups." It
> allows you to force a user or group into the local admins group of the
> workstation within the OU. One issue that you still have to address is
his
> access to the server. If the server is a DC, then you will have to grant
him
> rights to logon locally. I don't suggest this, but if you don't have a
> member server to share files from then I guess you have to do what you
have
> to do. Good luck!!
>
> "Kory" wrote:
>
> > Ok. I have Windows 2000 AD and I have 5 locations. All locations are
> > configured as part of the same domain. Now we are hiring a consultant
for
> > one location to do some dirty work. This guy should have access to the
> > server, should be able to install printers on server. Now thats
probably
> > the easy part. Now, how can I get this guy to be able to create users
and
> > join computers to domain, but I want him to be restricted only to that
> > location. Is that possible? I'm afraid if I give this guy Admin
> > privilages, he might do some damage to the rest of the network.
> > Can someone advise?
> >
> >
> >


.

Relevant Pages

  • Re: Im Stumped...
    ... I attempt to access the server via the UNC path. ... On 6 workstations I had no problems but 2 of ... involved plus I didnt feel the problem was the account I was using since ... I tried renaming on of the computers, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Im Stumped...
    ... I attempt to access the server via the UNC path. ... On 6 workstations I had no problems but 2 of ... involved plus I didnt feel the problem was the account I was using since ... I tried renaming on of the computers, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Undeliverable Email after making a New Meeting Request in Outlook 2003
    ... >delegate list and had some peace again!!!! ... The boss outlook is not running in cache mode. ... We are running Outlook 2003 with an Exchange 2003 Enterprise server. ... Her domain account and email account were ...
    (microsoft.public.outlook)
  • Re: Administrator cant logon to his domain workstation as administrator
    ... servers are pointing to your internal DNS server. ... > Then I noticed it would not logon when rebooted. ... > The administrator cant login to his own account ... > No domain computers can get to me, ...
    (microsoft.public.win2000.active_directory)
  • Re: How to Remove Ghost DC from AD
    ... > Users and Computers, in the Domain Controllers container, ... > It seems that it cannot be deleted as the server is registered ... > not this account is to be trusted for delagation". ... > Can anybody help me to remove this Ghost DCs from the Active ...
    (microsoft.public.win2000.active_directory)