Re: Permissions to join computers to domain
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Thu, 22 May 2008 10:49:20 -0500
"obnetadmin" <obnetadmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:365BE461-2D3E-4A25-8F67-3D4DBEFE742F@xxxxxxxxxxxxxxxx
I have a single forest, single domain Windows Server 2003 AD environment. I
want a couple of users to be able to add computers to the domain without
having to add them to the Domain Admin group. Could this be achieved
through
delegation?
Yes.
You can do a variety of things, one available even under WinNT,
and several which fall under the term 'delegation' as Microsoft has
used it:
1) Account Operators can add comuters to the domain
2) By default, ordinary users can add up to 10 computers
(but this can be changed -- it was mainly enabled to let
people re-add their own computer)
3) Delegate full control over some specific OU - essentially
making the user/group an OU or department 'admin'
without making them a domain admin in any sense
4) Specifically delegate just the permissions you wish, such
as "Add child objects" which allows for adding computers
user etc
#4 can be done conveniently by Right-Clicking on a particular
OU and using the "Delegation of Control Wizard" OR by
bringing up the full properties->Security and adding any
combination of delegated authority you wish.
.
- Follow-Ups:
- Prev by Date: Faxing from Windows 2003 Server
- Next by Date: Re: Schema Admins
- Previous by thread: Faxing from Windows 2003 Server
- Next by thread: Re: Permissions to join computers to domain
- Index(es):
Relevant Pages
|
