Re: Create a partial admin account

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Thu, 14 Dec 2006 15:40:59 -0500

Create a Group called something meaningful to you.

Create an OU that you want the machines to be created in that they will add.

Delegate to the group the ability to Create Computer objects in that OU.

Add the user(s) to the group.

The users can now manually create computer objects and then they can specify who can do the actual join process (like for instance themselves).

You can not delegate the ability to do this if they just use the Join Domain Wizards.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Alvin Burkholder wrote:

We have a remote location that we sometimes have a local computer shop do some repair work/installs for us. I want that shop to be able to join computers to our domain. Is there anyway I can create an account with partial admin rights that would allow them to join computers to domain without giving them full admin privleges to the domain or is it an all or nothing situation?

Thanks.
Alvin Burkholder

Prev by Date: Re: Server Not listed on Domain list
Next by Date: Re: Why are apps reinstalled?
Previous by thread: Re: Create a partial admin account
Next by thread: Re: Create a partial admin account
Index(es):
- Date
- Thread

Relevant Pages

Re: delegate control to computer management to everywhere except oneOU
... TEST THIS FIRST on an OU with one test computer, if it works as expected, delegate control at domain level and on the OU that you like to exclude remove the account/group form the security tab. ... Click Only the following objects in the folder, and then from the list, click to select the following check boxes: Computer objects ... click to select the following check boxes:. ...
(microsoft.public.windows.server.active_directory)
Re: Allowing Remote Admin Some Control
... > Question, I delegated control to that OU just like you recommend, but how ... >> You should create an OU for that location, and delegate full control ... >> This scenario will only allow him to join computers to the domain if he ... If the server is a DC, then you will have to grant ...
(microsoft.public.windows.server.active_directory)
Re: Delegating permission to add computers to the domain
... Add the group that you want to allow re-adding workstations with the ... the "Create Computer Objects" and "Delete Computer Objects" ACEs, ... Properties," and "Reset and Change Password" rights on the computer object. ... > I need to delegate permission to a group of users to add computers to the ...
(microsoft.public.windows.server.active_directory)
Re: Delegate user to add/remove computers to specified OU
... do you want to delegate the movement of computer objects between OUs? ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ...
(microsoft.public.windows.server.active_directory)
Re: Delegate Move of Computers Between OUs
... I should have added to my previous post that I've avoided using the Delegate Control Wizard for several reasons: ... To change this so that it is inherited downwards through the OU hierarchy, you need to change this to "This object and all child objects", or to child objects of a particular type. ... >> Computer Objects, Full Control ... >>>I am trying to delegate permissions to a group for moving existing ...
(microsoft.public.windows.server.active_directory)