delegating administrative access

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I want to delegate admin tasks to a jr admin. I want him specifically to be
able to rename computer objects in my domsin. what settings do I need to
check to allow this? I did the delegation wizard, but it is not that
granular in its use.

-thanks
7 answers Last reply
More about delegating administrative access
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Load ADU&C (dsa.msc) and select Advanced Features from the View drop-down menu.

    Then right-click the container or OU that you wish to configure the
    delegation on and choose properties. In the properties tab, choose Security
    and then Advanced. In the Access Control Settings for <OU Name> choose add,
    add the user name, and then in the Permission Entry for <OU Name> select the
    following Allow permissions:

    Create Computer Objects
    Delete Computer Objects


    Hope this helps,

    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "richierich" wrote:

    > I want to delegate admin tasks to a jr admin. I want him specifically to be
    > able to rename computer objects in my domsin. what settings do I need to
    > check to allow this? I did the delegation wizard, but it is not that
    > granular in its use.
    >
    > -thanks
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    funny, I did that and it did not work. I thought that would be it too.
    mmmmm. anything else to look at?


    "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
    news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
    > Load ADU&C (dsa.msc) and select Advanced Features from the View drop-down
    > menu.
    >
    > Then right-click the container or OU that you wish to configure the
    > delegation on and choose properties. In the properties tab, choose
    > Security
    > and then Advanced. In the Access Control Settings for <OU Name> choose
    > add,
    > add the user name, and then in the Permission Entry for <OU Name> select
    > the
    > following Allow permissions:
    >
    > Create Computer Objects
    > Delete Computer Objects
    >
    >
    > Hope this helps,
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "richierich" wrote:
    >
    >> I want to delegate admin tasks to a jr admin. I want him specifically to
    >> be
    >> able to rename computer objects in my domsin. what settings do I need to
    >> check to allow this? I did the delegation wizard, but it is not that
    >> granular in its use.
    >>
    >> -thanks
    >>
    >>
    >>
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    That's it. Although he'll also need read, but should have that by default.

    What isn't working if you've done this? What error are you getting?

    Start by checking that the DHCP Client Service is rset to automatically start
    and is running on the DC; that the DNS zone accepts dynamic updates; and that
    the DC is pointing to itself for DNS.

    Once you've done this, restart netlogon.

    After restarting netlogon, run netdiag /test:dns.

    Run the tests again.

    The missing SPNs is worrying; however, we have to make sure DNS is working
    correctly before we can further troubleshoot anything else...

    --

    Paul Williams

    http://www.msresource.net/
    http://forums.msresource.net/

    "richierich" wrote:

    > funny, I did that and it did not work. I thought that would be it too.
    > mmmmm. anything else to look at?
    >
    >
    > "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
    > news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
    > > Load ADU&C (dsa.msc) and select Advanced Features from the View drop-down
    > > menu.
    > >
    > > Then right-click the container or OU that you wish to configure the
    > > delegation on and choose properties. In the properties tab, choose
    > > Security
    > > and then Advanced. In the Access Control Settings for <OU Name> choose
    > > add,
    > > add the user name, and then in the Permission Entry for <OU Name> select
    > > the
    > > following Allow permissions:
    > >
    > > Create Computer Objects
    > > Delete Computer Objects
    > >
    > >
    > > Hope this helps,
    > >
    > > --
    > >
    > > Paul Williams
    > >
    > > http://www.msresource.net/
    > > http://forums.msresource.net/
    > >
    > > "richierich" wrote:
    > >
    > >> I want to delegate admin tasks to a jr admin. I want him specifically to
    > >> be
    > >> able to rename computer objects in my domsin. what settings do I need to
    > >> check to allow this? I did the delegation wizard, but it is not that
    > >> granular in its use.
    > >>
    > >> -thanks
    > >>
    > >>
    > >>
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    No, your direction is not correct. The question is, what permissions are
    needed to rename a computer object in AD? I too thought add/del would work,
    but it stil gives an access denied when attempting to rename a computer
    already in AD.

    -thanks


    "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
    news:DC5BBF86-CA90-46EE-BA2A-A10BF1E81CA2@microsoft.com...
    > That's it. Although he'll also need read, but should have that by
    > default.
    >
    > What isn't working if you've done this? What error are you getting?
    >
    > Start by checking that the DHCP Client Service is rset to automatically
    > start
    > and is running on the DC; that the DNS zone accepts dynamic updates; and
    > that
    > the DC is pointing to itself for DNS.
    >
    > Once you've done this, restart netlogon.
    >
    > After restarting netlogon, run netdiag /test:dns.
    >
    > Run the tests again.
    >
    > The missing SPNs is worrying; however, we have to make sure DNS is working
    > correctly before we can further troubleshoot anything else...
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "richierich" wrote:
    >
    >> funny, I did that and it did not work. I thought that would be it too.
    >> mmmmm. anything else to look at?
    >>
    >>
    >> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
    >> news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
    >> > Load ADU&C (dsa.msc) and select Advanced Features from the View
    >> > drop-down
    >> > menu.
    >> >
    >> > Then right-click the container or OU that you wish to configure the
    >> > delegation on and choose properties. In the properties tab, choose
    >> > Security
    >> > and then Advanced. In the Access Control Settings for <OU Name> choose
    >> > add,
    >> > add the user name, and then in the Permission Entry for <OU Name>
    >> > select
    >> > the
    >> > following Allow permissions:
    >> >
    >> > Create Computer Objects
    >> > Delete Computer Objects
    >> >
    >> >
    >> > Hope this helps,
    >> >
    >> > --
    >> >
    >> > Paul Williams
    >> >
    >> > http://www.msresource.net/
    >> > http://forums.msresource.net/
    >> >
    >> > "richierich" wrote:
    >> >
    >> >> I want to delegate admin tasks to a jr admin. I want him specifically
    >> >> to
    >> >> be
    >> >> able to rename computer objects in my domsin. what settings do I need
    >> >> to
    >> >> check to allow this? I did the delegation wizard, but it is not that
    >> >> granular in its use.
    >> >>
    >> >> -thanks
    >> >>
    >> >>
    >> >>
    >>
    >>
    >>
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    The user also needs administrative permissions and rights on the source
    computer.

    So, the junior admins needs the create and delete computer object permission
    on the OU that the computer is in, and needs to be a member of the local
    administrators group on the PC that is being renamed.


    --

    Paul Williams

    http://www.msresource.net
    http://forums.msresource.net


    "richierich" <rsr2564@hotmail.com> wrote in message
    news:OxClw1cHFHA.1392@TK2MSFTNGP10.phx.gbl...
    No, your direction is not correct. The question is, what permissions are
    needed to rename a computer object in AD? I too thought add/del would work,
    but it stil gives an access denied when attempting to rename a computer
    already in AD.

    -thanks


    "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
    news:DC5BBF86-CA90-46EE-BA2A-A10BF1E81CA2@microsoft.com...
    > That's it. Although he'll also need read, but should have that by
    > default.
    >
    > What isn't working if you've done this? What error are you getting?
    >
    > Start by checking that the DHCP Client Service is rset to automatically
    > start
    > and is running on the DC; that the DNS zone accepts dynamic updates; and
    > that
    > the DC is pointing to itself for DNS.
    >
    > Once you've done this, restart netlogon.
    >
    > After restarting netlogon, run netdiag /test:dns.
    >
    > Run the tests again.
    >
    > The missing SPNs is worrying; however, we have to make sure DNS is working
    > correctly before we can further troubleshoot anything else...
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net/
    > http://forums.msresource.net/
    >
    > "richierich" wrote:
    >
    >> funny, I did that and it did not work. I thought that would be it too.
    >> mmmmm. anything else to look at?
    >>
    >>
    >> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
    >> news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
    >> > Load ADU&C (dsa.msc) and select Advanced Features from the View
    >> > drop-down
    >> > menu.
    >> >
    >> > Then right-click the container or OU that you wish to configure the
    >> > delegation on and choose properties. In the properties tab, choose
    >> > Security
    >> > and then Advanced. In the Access Control Settings for <OU Name> choose
    >> > add,
    >> > add the user name, and then in the Permission Entry for <OU Name>
    >> > select
    >> > the
    >> > following Allow permissions:
    >> >
    >> > Create Computer Objects
    >> > Delete Computer Objects
    >> >
    >> >
    >> > Hope this helps,
    >> >
    >> > --
    >> >
    >> > Paul Williams
    >> >
    >> > http://www.msresource.net/
    >> > http://forums.msresource.net/
    >> >
    >> > "richierich" wrote:
    >> >
    >> >> I want to delegate admin tasks to a jr admin. I want him specifically
    >> >> to
    >> >> be
    >> >> able to rename computer objects in my domsin. what settings do I need
    >> >> to
    >> >> check to allow this? I did the delegation wizard, but it is not that
    >> >> granular in its use.
    >> >>
    >> >> -thanks
    >> >>
    >> >>
    >> >>
    >>
    >>
    >>
  6. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    I guess then I need to create a security group called Jr Admin or something
    like that, script that out to all systems in the domain, then he should be
    able to chaneg the name?

    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:Osw21mdHFHA.2132@TK2MSFTNGP14.phx.gbl...
    > The user also needs administrative permissions and rights on the source
    > computer.
    >
    > So, the junior admins needs the create and delete computer object
    > permission
    > on the OU that the computer is in, and needs to be a member of the local
    > administrators group on the PC that is being renamed.
    >
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net
    > http://forums.msresource.net
    >
    >
    > "richierich" <rsr2564@hotmail.com> wrote in message
    > news:OxClw1cHFHA.1392@TK2MSFTNGP10.phx.gbl...
    > No, your direction is not correct. The question is, what permissions are
    > needed to rename a computer object in AD? I too thought add/del would
    > work,
    > but it stil gives an access denied when attempting to rename a computer
    > already in AD.
    >
    > -thanks
    >
    >
    >
    > "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
    > news:DC5BBF86-CA90-46EE-BA2A-A10BF1E81CA2@microsoft.com...
    >> That's it. Although he'll also need read, but should have that by
    >> default.
    >>
    >> What isn't working if you've done this? What error are you getting?
    >>
    >> Start by checking that the DHCP Client Service is rset to automatically
    >> start
    >> and is running on the DC; that the DNS zone accepts dynamic updates; and
    >> that
    >> the DC is pointing to itself for DNS.
    >>
    >> Once you've done this, restart netlogon.
    >>
    >> After restarting netlogon, run netdiag /test:dns.
    >>
    >> Run the tests again.
    >>
    >> The missing SPNs is worrying; however, we have to make sure DNS is
    >> working
    >> correctly before we can further troubleshoot anything else...
    >>
    >> --
    >>
    >> Paul Williams
    >>
    >> http://www.msresource.net/
    >> http://forums.msresource.net/
    >>
    >> "richierich" wrote:
    >>
    >>> funny, I did that and it did not work. I thought that would be it too.
    >>> mmmmm. anything else to look at?
    >>>
    >>>
    >>> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
    >>> news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
    >>> > Load ADU&C (dsa.msc) and select Advanced Features from the View
    >>> > drop-down
    >>> > menu.
    >>> >
    >>> > Then right-click the container or OU that you wish to configure the
    >>> > delegation on and choose properties. In the properties tab, choose
    >>> > Security
    >>> > and then Advanced. In the Access Control Settings for <OU Name>
    >>> > choose
    >>> > add,
    >>> > add the user name, and then in the Permission Entry for <OU Name>
    >>> > select
    >>> > the
    >>> > following Allow permissions:
    >>> >
    >>> > Create Computer Objects
    >>> > Delete Computer Objects
    >>> >
    >>> >
    >>> > Hope this helps,
    >>> >
    >>> > --
    >>> >
    >>> > Paul Williams
    >>> >
    >>> > http://www.msresource.net/
    >>> > http://forums.msresource.net/
    >>> >
    >>> > "richierich" wrote:
    >>> >
    >>> >> I want to delegate admin tasks to a jr admin. I want him
    >>> >> specifically
    >>> >> to
    >>> >> be
    >>> >> able to rename computer objects in my domsin. what settings do I
    >>> >> need
    >>> >> to
    >>> >> check to allow this? I did the delegation wizard, but it is not that
    >>> >> granular in its use.
    >>> >>
    >>> >> -thanks
    >>> >>
    >>> >>
    >>> >>
    >>>
    >>>
    >>>
    >
    >
    >
  7. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Sounds like a plan.

    Use either the Restricted Groups function of GPO; or

    net localgroup administrators /add domainName\userName in a startup script

    --

    Paul Williams

    http://www.msresource.net
    http://forums.msresource.net


    "richierich" <rsr2564@hotmail.com> wrote in message
    news:uOoxDifHFHA.2784@TK2MSFTNGP09.phx.gbl...
    I guess then I need to create a security group called Jr Admin or something
    like that, script that out to all systems in the domain, then he should be
    able to chaneg the name?

    "ptwilliams" <ptw2001@hotmail.com> wrote in message
    news:Osw21mdHFHA.2132@TK2MSFTNGP14.phx.gbl...
    > The user also needs administrative permissions and rights on the source
    > computer.
    >
    > So, the junior admins needs the create and delete computer object
    > permission
    > on the OU that the computer is in, and needs to be a member of the local
    > administrators group on the PC that is being renamed.
    >
    >
    > --
    >
    > Paul Williams
    >
    > http://www.msresource.net
    > http://forums.msresource.net
    >
    >
    > "richierich" <rsr2564@hotmail.com> wrote in message
    > news:OxClw1cHFHA.1392@TK2MSFTNGP10.phx.gbl...
    > No, your direction is not correct. The question is, what permissions are
    > needed to rename a computer object in AD? I too thought add/del would
    > work,
    > but it stil gives an access denied when attempting to rename a computer
    > already in AD.
    >
    > -thanks
    >
    >
    >
    > "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
    > news:DC5BBF86-CA90-46EE-BA2A-A10BF1E81CA2@microsoft.com...
    >> That's it. Although he'll also need read, but should have that by
    >> default.
    >>
    >> What isn't working if you've done this? What error are you getting?
    >>
    >> Start by checking that the DHCP Client Service is rset to automatically
    >> start
    >> and is running on the DC; that the DNS zone accepts dynamic updates; and
    >> that
    >> the DC is pointing to itself for DNS.
    >>
    >> Once you've done this, restart netlogon.
    >>
    >> After restarting netlogon, run netdiag /test:dns.
    >>
    >> Run the tests again.
    >>
    >> The missing SPNs is worrying; however, we have to make sure DNS is
    >> working
    >> correctly before we can further troubleshoot anything else...
    >>
    >> --
    >>
    >> Paul Williams
    >>
    >> http://www.msresource.net/
    >> http://forums.msresource.net/
    >>
    >> "richierich" wrote:
    >>
    >>> funny, I did that and it did not work. I thought that would be it too.
    >>> mmmmm. anything else to look at?
    >>>
    >>>
    >>> "ptwilliams" <ptw2001@hotmail.com.donotspam> wrote in message
    >>> news:0B7B022D-B104-44EC-A40B-8552CFE55971@microsoft.com...
    >>> > Load ADU&C (dsa.msc) and select Advanced Features from the View
    >>> > drop-down
    >>> > menu.
    >>> >
    >>> > Then right-click the container or OU that you wish to configure the
    >>> > delegation on and choose properties. In the properties tab, choose
    >>> > Security
    >>> > and then Advanced. In the Access Control Settings for <OU Name>
    >>> > choose
    >>> > add,
    >>> > add the user name, and then in the Permission Entry for <OU Name>
    >>> > select
    >>> > the
    >>> > following Allow permissions:
    >>> >
    >>> > Create Computer Objects
    >>> > Delete Computer Objects
    >>> >
    >>> >
    >>> > Hope this helps,
    >>> >
    >>> > --
    >>> >
    >>> > Paul Williams
    >>> >
    >>> > http://www.msresource.net/
    >>> > http://forums.msresource.net/
    >>> >
    >>> > "richierich" wrote:
    >>> >
    >>> >> I want to delegate admin tasks to a jr admin. I want him
    >>> >> specifically
    >>> >> to
    >>> >> be
    >>> >> able to rename computer objects in my domsin. what settings do I
    >>> >> need
    >>> >> to
    >>> >> check to allow this? I did the delegation wizard, but it is not that
    >>> >> granular in its use.
    >>> >>
    >>> >> -thanks
    >>> >>
    >>> >>
    >>> >>
    >>>
    >>>
    >>>
    >
    >
    >
Ask a new question

Read More

Computers Microsoft Active Directory Windows