Sign in with
Sign up | Sign in
Your question

delegating administrative access

Tags:
  • Computers
  • Microsoft
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Share
February 25, 2005 12:03:07 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I want to delegate admin tasks to a jr admin. I want him specifically to be
able to rename computer objects in my domsin. what settings do I need to
check to allow this? I did the delegation wizard, but it is not that
granular in its use.

-thanks

More about : delegating administrative access

Anonymous
February 25, 2005 4:31:05 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Load ADU&C (dsa.msc) and select Advanced Features from the View drop-down menu.

Then right-click the container or OU that you wish to configure the
delegation on and choose properties. In the properties tab, choose Security
and then Advanced. In the Access Control Settings for <OU Name> choose add,
add the user name, and then in the Permission Entry for <OU Name> select the
following Allow permissions:

Create Computer Objects
Delete Computer Objects


Hope this helps,

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"richierich" wrote:

> I want to delegate admin tasks to a jr admin. I want him specifically to be
> able to rename computer objects in my domsin. what settings do I need to
> check to allow this? I did the delegation wizard, but it is not that
> granular in its use.
>
> -thanks
>
>
>
February 26, 2005 11:40:24 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

funny, I did that and it did not work. I thought that would be it too.
mmmmm. anything else to look at?


"ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
> Load ADU&C (dsa.msc) and select Advanced Features from the View drop-down
> menu.
>
> Then right-click the container or OU that you wish to configure the
> delegation on and choose properties. In the properties tab, choose
> Security
> and then Advanced. In the Access Control Settings for <OU Name> choose
> add,
> add the user name, and then in the Permission Entry for <OU Name> select
> the
> following Allow permissions:
>
> Create Computer Objects
> Delete Computer Objects
>
>
> Hope this helps,
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "richierich" wrote:
>
>> I want to delegate admin tasks to a jr admin. I want him specifically to
>> be
>> able to rename computer objects in my domsin. what settings do I need to
>> check to allow this? I did the delegation wizard, but it is not that
>> granular in its use.
>>
>> -thanks
>>
>>
>>
Related resources
Anonymous
February 28, 2005 9:49:04 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

That's it. Although he'll also need read, but should have that by default.

What isn't working if you've done this? What error are you getting?

Start by checking that the DHCP Client Service is rset to automatically start
and is running on the DC; that the DNS zone accepts dynamic updates; and that
the DC is pointing to itself for DNS.

Once you've done this, restart netlogon.

After restarting netlogon, run netdiag /test:D ns.

Run the tests again.

The missing SPNs is worrying; however, we have to make sure DNS is working
correctly before we can further troubleshoot anything else...

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"richierich" wrote:

> funny, I did that and it did not work. I thought that would be it too.
> mmmmm. anything else to look at?
>
>
> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
> news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
> > Load ADU&C (dsa.msc) and select Advanced Features from the View drop-down
> > menu.
> >
> > Then right-click the container or OU that you wish to configure the
> > delegation on and choose properties. In the properties tab, choose
> > Security
> > and then Advanced. In the Access Control Settings for <OU Name> choose
> > add,
> > add the user name, and then in the Permission Entry for <OU Name> select
> > the
> > following Allow permissions:
> >
> > Create Computer Objects
> > Delete Computer Objects
> >
> >
> > Hope this helps,
> >
> > --
> >
> > Paul Williams
> >
> > http://www.msresource.net/
> > http://forums.msresource.net/
> >
> > "richierich" wrote:
> >
> >> I want to delegate admin tasks to a jr admin. I want him specifically to
> >> be
> >> able to rename computer objects in my domsin. what settings do I need to
> >> check to allow this? I did the delegation wizard, but it is not that
> >> granular in its use.
> >>
> >> -thanks
> >>
> >>
> >>
>
>
>
February 28, 2005 5:41:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

No, your direction is not correct. The question is, what permissions are
needed to rename a computer object in AD? I too thought add/del would work,
but it stil gives an access denied when attempting to rename a computer
already in AD.

-thanks



"ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
news:D C5BBF86-CA90-46EE-BA2A-A10BF1E81CA2@microsoft.com...
> That's it. Although he'll also need read, but should have that by
> default.
>
> What isn't working if you've done this? What error are you getting?
>
> Start by checking that the DHCP Client Service is rset to automatically
> start
> and is running on the DC; that the DNS zone accepts dynamic updates; and
> that
> the DC is pointing to itself for DNS.
>
> Once you've done this, restart netlogon.
>
> After restarting netlogon, run netdiag /test:D ns.
>
> Run the tests again.
>
> The missing SPNs is worrying; however, we have to make sure DNS is working
> correctly before we can further troubleshoot anything else...
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "richierich" wrote:
>
>> funny, I did that and it did not work. I thought that would be it too.
>> mmmmm. anything else to look at?
>>
>>
>> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
>> news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
>> > Load ADU&C (dsa.msc) and select Advanced Features from the View
>> > drop-down
>> > menu.
>> >
>> > Then right-click the container or OU that you wish to configure the
>> > delegation on and choose properties. In the properties tab, choose
>> > Security
>> > and then Advanced. In the Access Control Settings for <OU Name> choose
>> > add,
>> > add the user name, and then in the Permission Entry for <OU Name>
>> > select
>> > the
>> > following Allow permissions:
>> >
>> > Create Computer Objects
>> > Delete Computer Objects
>> >
>> >
>> > Hope this helps,
>> >
>> > --
>> >
>> > Paul Williams
>> >
>> > http://www.msresource.net/
>> > http://forums.msresource.net/
>> >
>> > "richierich" wrote:
>> >
>> >> I want to delegate admin tasks to a jr admin. I want him specifically
>> >> to
>> >> be
>> >> able to rename computer objects in my domsin. what settings do I need
>> >> to
>> >> check to allow this? I did the delegation wizard, but it is not that
>> >> granular in its use.
>> >>
>> >> -thanks
>> >>
>> >>
>> >>
>>
>>
>>
Anonymous
March 1, 2005 12:08:50 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The user also needs administrative permissions and rights on the source
computer.

So, the junior admins needs the create and delete computer object permission
on the OU that the computer is in, and needs to be a member of the local
administrators group on the PC that is being renamed.


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


"richierich" <rsr2564@hotmail.com> wrote in message
news:o xClw1cHFHA.1392@TK2MSFTNGP10.phx.gbl...
No, your direction is not correct. The question is, what permissions are
needed to rename a computer object in AD? I too thought add/del would work,
but it stil gives an access denied when attempting to rename a computer
already in AD.

-thanks



"ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
news:D C5BBF86-CA90-46EE-BA2A-A10BF1E81CA2@microsoft.com...
> That's it. Although he'll also need read, but should have that by
> default.
>
> What isn't working if you've done this? What error are you getting?
>
> Start by checking that the DHCP Client Service is rset to automatically
> start
> and is running on the DC; that the DNS zone accepts dynamic updates; and
> that
> the DC is pointing to itself for DNS.
>
> Once you've done this, restart netlogon.
>
> After restarting netlogon, run netdiag /test:D ns.
>
> Run the tests again.
>
> The missing SPNs is worrying; however, we have to make sure DNS is working
> correctly before we can further troubleshoot anything else...
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "richierich" wrote:
>
>> funny, I did that and it did not work. I thought that would be it too.
>> mmmmm. anything else to look at?
>>
>>
>> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
>> news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
>> > Load ADU&C (dsa.msc) and select Advanced Features from the View
>> > drop-down
>> > menu.
>> >
>> > Then right-click the container or OU that you wish to configure the
>> > delegation on and choose properties. In the properties tab, choose
>> > Security
>> > and then Advanced. In the Access Control Settings for <OU Name> choose
>> > add,
>> > add the user name, and then in the Permission Entry for <OU Name>
>> > select
>> > the
>> > following Allow permissions:
>> >
>> > Create Computer Objects
>> > Delete Computer Objects
>> >
>> >
>> > Hope this helps,
>> >
>> > --
>> >
>> > Paul Williams
>> >
>> > http://www.msresource.net/
>> > http://forums.msresource.net/
>> >
>> > "richierich" wrote:
>> >
>> >> I want to delegate admin tasks to a jr admin. I want him specifically
>> >> to
>> >> be
>> >> able to rename computer objects in my domsin. what settings do I need
>> >> to
>> >> check to allow this? I did the delegation wizard, but it is not that
>> >> granular in its use.
>> >>
>> >> -thanks
>> >>
>> >>
>> >>
>>
>>
>>
March 1, 2005 12:08:51 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I guess then I need to create a security group called Jr Admin or something
like that, script that out to all systems in the domain, then he should be
able to chaneg the name?

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:o sw21mdHFHA.2132@TK2MSFTNGP14.phx.gbl...
> The user also needs administrative permissions and rights on the source
> computer.
>
> So, the junior admins needs the create and delete computer object
> permission
> on the OU that the computer is in, and needs to be a member of the local
> administrators group on the PC that is being renamed.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net
> http://forums.msresource.net
>
>
> "richierich" <rsr2564@hotmail.com> wrote in message
> news:o xClw1cHFHA.1392@TK2MSFTNGP10.phx.gbl...
> No, your direction is not correct. The question is, what permissions are
> needed to rename a computer object in AD? I too thought add/del would
> work,
> but it stil gives an access denied when attempting to rename a computer
> already in AD.
>
> -thanks
>
>
>
> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
> news:D C5BBF86-CA90-46EE-BA2A-A10BF1E81CA2@microsoft.com...
>> That's it. Although he'll also need read, but should have that by
>> default.
>>
>> What isn't working if you've done this? What error are you getting?
>>
>> Start by checking that the DHCP Client Service is rset to automatically
>> start
>> and is running on the DC; that the DNS zone accepts dynamic updates; and
>> that
>> the DC is pointing to itself for DNS.
>>
>> Once you've done this, restart netlogon.
>>
>> After restarting netlogon, run netdiag /test:D ns.
>>
>> Run the tests again.
>>
>> The missing SPNs is worrying; however, we have to make sure DNS is
>> working
>> correctly before we can further troubleshoot anything else...
>>
>> --
>>
>> Paul Williams
>>
>> http://www.msresource.net/
>> http://forums.msresource.net/
>>
>> "richierich" wrote:
>>
>>> funny, I did that and it did not work. I thought that would be it too.
>>> mmmmm. anything else to look at?
>>>
>>>
>>> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
>>> news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
>>> > Load ADU&C (dsa.msc) and select Advanced Features from the View
>>> > drop-down
>>> > menu.
>>> >
>>> > Then right-click the container or OU that you wish to configure the
>>> > delegation on and choose properties. In the properties tab, choose
>>> > Security
>>> > and then Advanced. In the Access Control Settings for <OU Name>
>>> > choose
>>> > add,
>>> > add the user name, and then in the Permission Entry for <OU Name>
>>> > select
>>> > the
>>> > following Allow permissions:
>>> >
>>> > Create Computer Objects
>>> > Delete Computer Objects
>>> >
>>> >
>>> > Hope this helps,
>>> >
>>> > --
>>> >
>>> > Paul Williams
>>> >
>>> > http://www.msresource.net/
>>> > http://forums.msresource.net/
>>> >
>>> > "richierich" wrote:
>>> >
>>> >> I want to delegate admin tasks to a jr admin. I want him
>>> >> specifically
>>> >> to
>>> >> be
>>> >> able to rename computer objects in my domsin. what settings do I
>>> >> need
>>> >> to
>>> >> check to allow this? I did the delegation wizard, but it is not that
>>> >> granular in its use.
>>> >>
>>> >> -thanks
>>> >>
>>> >>
>>> >>
>>>
>>>
>>>
>
>
>
Anonymous
March 1, 2005 11:21:21 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Sounds like a plan.

Use either the Restricted Groups function of GPO; or

net localgroup administrators /add domainName\userName in a startup script

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


"richierich" <rsr2564@hotmail.com> wrote in message
news:uOoxDifHFHA.2784@TK2MSFTNGP09.phx.gbl...
I guess then I need to create a security group called Jr Admin or something
like that, script that out to all systems in the domain, then he should be
able to chaneg the name?

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:o sw21mdHFHA.2132@TK2MSFTNGP14.phx.gbl...
> The user also needs administrative permissions and rights on the source
> computer.
>
> So, the junior admins needs the create and delete computer object
> permission
> on the OU that the computer is in, and needs to be a member of the local
> administrators group on the PC that is being renamed.
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net
> http://forums.msresource.net
>
>
> "richierich" <rsr2564@hotmail.com> wrote in message
> news:o xClw1cHFHA.1392@TK2MSFTNGP10.phx.gbl...
> No, your direction is not correct. The question is, what permissions are
> needed to rename a computer object in AD? I too thought add/del would
> work,
> but it stil gives an access denied when attempting to rename a computer
> already in AD.
>
> -thanks
>
>
>
> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
> news:D C5BBF86-CA90-46EE-BA2A-A10BF1E81CA2@microsoft.com...
>> That's it. Although he'll also need read, but should have that by
>> default.
>>
>> What isn't working if you've done this? What error are you getting?
>>
>> Start by checking that the DHCP Client Service is rset to automatically
>> start
>> and is running on the DC; that the DNS zone accepts dynamic updates; and
>> that
>> the DC is pointing to itself for DNS.
>>
>> Once you've done this, restart netlogon.
>>
>> After restarting netlogon, run netdiag /test:D ns.
>>
>> Run the tests again.
>>
>> The missing SPNs is worrying; however, we have to make sure DNS is
>> working
>> correctly before we can further troubleshoot anything else...
>>
>> --
>>
>> Paul Williams
>>
>> http://www.msresource.net/
>> http://forums.msresource.net/
>>
>> "richierich" wrote:
>>
>>> funny, I did that and it did not work. I thought that would be it too.
>>> mmmmm. anything else to look at?
>>>
>>>
>>> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
>>> news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
>>> > Load ADU&C (dsa.msc) and select Advanced Features from the View
>>> > drop-down
>>> > menu.
>>> >
>>> > Then right-click the container or OU that you wish to configure the
>>> > delegation on and choose properties. In the properties tab, choose
>>> > Security
>>> > and then Advanced. In the Access Control Settings for <OU Name>
>>> > choose
>>> > add,
>>> > add the user name, and then in the Permission Entry for <OU Name>
>>> > select
>>> > the
>>> > following Allow permissions:
>>> >
>>> > Create Computer Objects
>>> > Delete Computer Objects
>>> >
>>> >
>>> > Hope this helps,
>>> >
>>> > --
>>> >
>>> > Paul Williams
>>> >
>>> > http://www.msresource.net/
>>> > http://forums.msresource.net/
>>> >
>>> > "richierich" wrote:
>>> >
>>> >> I want to delegate admin tasks to a jr admin. I want him
>>> >> specifically
>>> >> to
>>> >> be
>>> >> able to rename computer objects in my domsin. what settings do I
>>> >> need
>>> >> to
>>> >> check to allow this? I did the delegation wizard, but it is not that
>>> >> granular in its use.
>>> >>
>>> >> -thanks
>>> >>
>>> >>
>>> >>
>>>
>>>
>>>
>
>
>
!