Re: Delegate control questions

Hi!

...inline...

Toni

"Tommy Forsman" <tofors99@xxxxxxxxxxx> wrote in message
news:%23APR0UjDHHA.4132@xxxxxxxxxxxxxxxxxxxxxxx

1) Go to Active Directory Users and Computers, click View and Advanced
Features. Go to OU, right click, select Properties, you will see Security
tab and user account with special permissions. This entry was added with
help of Delegation Of Control Wizrad. I would suggest that you delegate
to groups rather then to users.

Found it! So if I want to remove some rights I have delegated I´ll will do
it from here?


Yes.

2) Create custom task with wizard, select Computer and Printer Object
from list and click check boxes that allow creation or deletion of these
objects.
Did it and it works

3) Maybe objects were not replicated yet? Was console refreshed?
Yes it was a replciation problem, Now I can see all computers

4) Which objects and why would you remove read permission?
Just a question. Have created a new mmc with only the Branch OU but have
noticed that if the local admin creates an own mmc with ADUC snap he will
se the whole AD but have only rights to do something in his OU

You can create custom Taskpad view for your administrators but they will be
able to see entire domain if they use ADUC. Their actions are limited to OU.

Thanks
Tomppa



Toni

"Tommy Forsman" <tofors99@xxxxxxxxxxx> wrote in message
news:eG4NbuiDHHA.4024@xxxxxxxxxxxxxxxxxxxxxxx
Hi
Have created an OU for our branch office. Have delegated control to the
local admin, so he can create users and groups, reset passwords, add
computers to domain.

Some problems...

1) Where and how can I see what rights I have delegated to him?
2) He cannot create computer or printer objects. What do I have to do to
give him these rights
3) If DomainAdmin create computers in the branch OU the local admin does
not see them (maybe the answer to 2 is also the solution to 3)
4) I suppose I cannot remove read rights for other objects in the AD?

Tomppa










.

Relevant Pages

  • Re: Granting Domain Users Local Admin Rights
    ... login is added to the local PC with administrator rights. ... haven't been added as a local admin for local admin rights are ... Add the Interactive Users group as to the local admin group ... conference room computers and training room computers usually include ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Delegate control questions
    ... You can rerun the delegation wizard again or do it manually in security tab. ... You can deny read access, that's one of the reasons for OU creation, but rather then denying to a user you should do this to a security group, same applies to delegation of control. ... Have delegated control to the local admin, so he can create users and groups, reset passwords, add computers to domain. ... Where and how can I see what rights I have delegated to him? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate control questions
    ... help of Delegation Of Control Wizrad. ... Yes it was a replciation problem, Now I can see all computers ... noticed that if the local admin creates an own mmc with ADUC snap he will se ... the whole AD but have only rights to do something in his OU ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate control questions
    ... Go to Active Directory Users and Computers, ... help of Delegation Of Control Wizrad. ... Where and how can I see what rights I have delegated to him? ... If DomainAdmin create computers in the branch OU the local admin does ...
    (microsoft.public.windows.server.active_directory)
  • Re: Custom rights
    ... create an account he goes thru the process fine until I arrive to the "Create ... > By default any user can log onto a server other than domain controller. ... > To add computers to the domain go to AD Users and Computers. ... >> Look into AD delegation, though you may need to do some custom delegation. ...
    (microsoft.public.win2000.security)