Sign in with
Sign up | Sign in
Your question

domain admin user who cant add other people to the admin g..

Last response: in Windows 2000/NT
Share
Anonymous
July 21, 2005 9:12:53 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi

Can a windows 2000 domain be set up so that I can allow a user to add
computers to teh domain/create shares on the domain, but they cant add
other people to administrative group?

Regards

R.
Anonymous
July 22, 2005 3:39:10 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Absolutely. Your subject heading is asking for the wrong thing, though.
You most definitely don't want to make them a domain admin, and if you're
thinking of the concept of a domain admin with one or two rights taken away
you are really thinking about this from the wrong angle.

What you will want to do is to use the delegate control wizard to allow a
group to create (and possibly delete) computer accounts from the computers
container (or the OU where you place computers). Then make the user(s) a
member of this group.

To allow creation of shares, make the user (or preferably a group created
for this purpose, which contains the user) an administrator only of the file
servers on which you want the user to be able to create shares. If you want
to do this locally, rather than using group policy, do the following:

Start | Run | compmgmt.msc | Computer Management (Local) | System Tools |
Local Users and Groups | Groups | Administrators

Add the user or group here.

If you are using your domain controllers to host file shares, then you may
have to have a rethink. Obviously, making a user an administrator of a
domain controller is effectively making them a domain admin.

Of course, if you happen to be routinely logging in to servers using domain
admin credentials, it is possible for your newly-created user to elevate
their privileges to domain admin. So, don't hire people you don't trust.

Hope this helps

Oli



"Jane" <Jane@temp.com> wrote in message
news:1121962373.82930.0@doris.uk.clara.net...
> Hi
>
> Can a windows 2000 domain be set up so that I can allow a user to add
> computers to teh domain/create shares on the domain, but they cant add
> other people to administrative group?
>
> Regards
>
> R.
!