Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.win2000.security (
More info?)
OK. If you can not change Local Security Policy then their is another
Group/security policy overriding it. Possibly you have the Domain Controller
Security Policy linked to that OU. FYI you can use the RSOP mmc snapin on
that computer [ if it is W2K, otherwise do it via GPMC] and it should show
exactly what GPO's are applying a particular policy setting. However moving
to a child OU of the DC OU sounds like a good plan. --- Steve
"Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
news:%23%23z6zSr5EHA.828@TK2MSFTNGP14.phx.gbl...
>I can see the local policy running the secpol.msc but I cannot make a
>change
> to it. I guess that I will make the Child OU under the Domain Controller
> OU
> and set the policy there.
>
> Thanks to all.
>
>
> Fred
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:NMKwd.212106$V41.118082@attbi_s52...
>> Your reason for moving the dc into the OU being delegated would not
>> really
>> give you much. For instance it will not allow the users delegated
> authority
>> to the OU domain admin like access to the domain controller for things
> like
>> changing networking configuration, configuring Local Security Policy,
>> starting and stopping services [though that can be configured via Group
>> Policy] , or installing software. If you grant logon locally access to
>> Domain Controller Security Policy it would allow a user to logon to all
>> domain controllers in a default installation. You could create a child OU
> of
>> the domain controller's container with it's own GPO to configure the user
>> right for logon locally that would apply to just domain controllers in
> that
>> child OU. All other Domain Controller Security Policy would still apply
>> to
>> that child OU other than settings you define in the GPO for that child OU
>> such as logon locally. In fact that could be the only setting you define
> in
>> the GPO for the child OU. There is a Local Security Policy for all
>> Windows
>> 2003 computers. That made it harder to find compared to W2K but
>> secpol.msc
>> will bring it up. --- Steve
>>
>>
>> "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
>> news:OcXhS5H5EHA.1452@TK2MSFTNGP11.phx.gbl...
>> > Steven,
>> > Thanks for the response. I am talking about a W2K3 Native Mode AD
>> > implementation here. I had the same thoughts as you on moving the DC
> from
>> > the default Domain Controller OU. The reason that I did move this DC
>> > to
>> > their site OU was in hopes that I could define an OU policy that would
>> > limit
>> > what the Admin could do to only their OU. If I attempt to grant a
>> > Logon
>> > Locally privilege back at the Domain Controller OU they have this right
> on
>> > all other DC's too. Does this make sense?
>> >
>> > Since this is a DC, there is no Local Security Policy that I can find.
>> >
>> > I am well versed with permissions but don't have a clue with this
>> > policy
>> > and
>> > OU delegation stuff.
>> >
>> >
>> > Thanks,
>> > Fred
>> >
>> >
>> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
>> > news:IHEwd.210034$V41.60437@attbi_s52...
>> >> Normally it is not a good idea to move a domain controller out of the
>> > domain
>> >> controller container for the sake of consistent application of
>> >> security
>> >> policy. In a default AD domain you would have to add the "delegated"
> user
>> > to
>> >> the right to logon locally in Domain Controller Security Policy. If
>> >> you
>> > have
>> >> Domain Controller Security Policy linked to that OU and applied to
>> >> your
>> >> dc
>> >> then that is where you should configure it. Otherwise check the Local
>> >> Security Policy on the domain controller for the user right to logon
>> >> locally. You will still find that he has limited access to the dc
> itself.
>> >> You still need to be a domain admin to do things like change tcp/ip
>> >> configuration on the domain controller. --- Steve
>> >>
>> >>
>> >> "Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
>> >> news:O5XXbtF5EHA.1300@TK2MSFTNGP14.phx.gbl...
>> >> >
>> >> > BACKGROUND:
>> >> > We have a sister company in Knoxville (connected to us via a WAN
> link)
>> > who
>> >> > uses our domain. We located a DC there and they have a couple of
> other
>> >> > file
>> >> > and printer sharing machines too. I created them an OU for their
> site
>> > and
>> >> > added their users, computers, DC, and servers to this OU. This all
>> > works
>> >> > like a champ.
>> >> >
>> >> >
>> >> > PROBLEM:
>> >> > I need to allow their onsite admin to be able to administrator
>> >> > their
>> > OU.
>> >> > They need to be able to login to the DC and do things and to perform
>> > basic
>> >> > administrator functions for their site. I added this user to the
>> > Delegate
>> >> > Control function for their OU but it does not seem to allow them to
>> > login
>> >> > to
>> >> > the DC. Is there something special that I must do to permit this?
> The
>> > DC
>> >> > is also used for some minor file sharing. In the past this admin
>> >> > was
>> > just
>> >> > granted Domain Administrator rights but I am trying to reduce their
>> >> > privileges to only allow them to administrator their own OU.
>> >> >
>> >> > Thanks,
>> >> > Fred
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>