AD permission for admins

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello can anyone summarize what i should do to grant permissions to
remote admins to manager their own OUs, their computer and users under
their own OUs and their remote servers (remote domain cotrollers)
without granting access to all resources in AD. Right now i have 5
admin accounts with full access(enterprise and domain admin) I would
like to change that but I would like them to be able to add new
computers to their domains. thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

I forgot to ask, do i have to give the user login rights to their
remote servers or is there something like Active Directory Users and
computer for xp?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

> Hello can anyone summarize what i should do to grant permissions to remote
> admins to manager their own OUs, their computer and users under their own
> OUs and their remote servers (remote domain controllers) without granting
> access to all resources in AD.

Delegate permissions to the OU for the tasks you wish to allow, e.g. change
password, create users, delete users, etc.

If you wish to make these users administrators over the computers under this
OU create a GPO and link it to the OU and either use Restricted groups or a
startup script to add a group that these users belong to, to the local
administrator group on the clients.

I recommend you search for, and download the MS Delegation white paper AND
it's appendix.


> Right now i have 5 admin accounts with full access(enterprise and domain
> admin) I would like to change that but I would like them to be able to add
> new computers to their domains. thanks

By default a user can add 10 machines to the domain. You can increase this
value or grant the group that these users belong to the add computers to the
domain right (via GPO of course). There's a third option (delegating create
and modify computers) but that won't work without additional intervention,
so is beyond the scope of this question.

--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom