Re: Delegating Permissions

You can not safely delegate permissions to modify a DC without giving enough rights for the delegate to escalate themselves to administrator, domain administrator, and eventually Enterprise Admin.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Howard Goldstein wrote:
I hope someone can help me; I'm banging my head against the wall!!
Here is the scenario:
60 divisions, each with a DC
We want local admin to be able to: add/remove computers from the domain
backup and restore files on DC
Add/remove printers on DC
manage printers

We do not want local admin to have the right to backup up/restore files or manage or add printers on DC's outside of their division
Here is what we have done

Delegated permissions at the division OU level allowing local admin the right to add/delete computers w/ full control on computer objects
Delegate permissions at the OU level allowing local admin the right to add/delete printers w/ full control to printer objects
Delegated permissions on the DC itself giving local admin the right to add/delete printer’s w/full control to printer objects
created an OU for each divisions under domain controller OU
Moved each DC into its own sub OU
Created a GPO for each sub OU assigning local admin the following rights:
log on through terminal services
backup files
restore files
stop and restart print spooler

It does not work.
Local admin cannot log in through terminal services
Local admin cannot manage printers (I don't know if they can add or delete printers)
Local admin cannot access Backup exec on the DC's.
Local admin CAN add computers to their OU
We do not want to use the domain backup operators group or print operators group since we do not want the local admin to have the elevated privileges that come with being in that group
Does anyone have any suggestions?

Thanks,

Howard Goldstein

.

Relevant Pages

  • Re: 2003 Server DNS security
    ... Thanks Todd, I have tried this, but it does not delegate permissions to ... non-AD zones on a member server... ... > Remove his local admin rights and instead make him a member of the "DNS ...
    (microsoft.public.windows.server.dns)
  • Re: how to forbid users to connect directly to printers
    ... they have already been granted local admin rights, ... but that doesn't really explain why you you can't *revoke* the rights. ... Perhaps this is a silly suggestion, but if you don't give users ... (can't add local printers or printer ports at all). ...
    (microsoft.public.windows.server.general)
  • Re: Delegating Echange Full Admin Roghts
    ... What exactly is your backup service acount trying to back up? ... I am trying to setup a backup servive account to backup my exchange ... says I have to be a local admin on the machine. ... teh exchange server i added my self, and again it did not work. ...
    (microsoft.public.exchange.admin)
  • Re: User cant browse network printers
    ... Is the user a local admin? ... He could browse printers before. ... folder where his My Documents folders reside. ... Offline files: ...
    (microsoft.public.windows.server.sbs)
  • NTBackupUP Win2k
    ... I have a Win2k server and the system state backup fails uses Veritas ... The ntbackup error indicates that the user does not have permissions to ... Tried as domain admin, local admin, added to backup operators groups, ...
    (microsoft.public.win2000.general)
Loading