domain admin user who cant add other people to the admin g..

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi

Can a windows 2000 domain be set up so that I can allow a user to add
computers to teh domain/create shares on the domain, but they cant add
other people to administrative group?

Regards

R.
1 answer Last reply
More about domain admin user people admin
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Absolutely. Your subject heading is asking for the wrong thing, though.
    You most definitely don't want to make them a domain admin, and if you're
    thinking of the concept of a domain admin with one or two rights taken away
    you are really thinking about this from the wrong angle.

    What you will want to do is to use the delegate control wizard to allow a
    group to create (and possibly delete) computer accounts from the computers
    container (or the OU where you place computers). Then make the user(s) a
    member of this group.

    To allow creation of shares, make the user (or preferably a group created
    for this purpose, which contains the user) an administrator only of the file
    servers on which you want the user to be able to create shares. If you want
    to do this locally, rather than using group policy, do the following:

    Start | Run | compmgmt.msc | Computer Management (Local) | System Tools |
    Local Users and Groups | Groups | Administrators

    Add the user or group here.

    If you are using your domain controllers to host file shares, then you may
    have to have a rethink. Obviously, making a user an administrator of a
    domain controller is effectively making them a domain admin.

    Of course, if you happen to be routinely logging in to servers using domain
    admin credentials, it is possible for your newly-created user to elevate
    their privileges to domain admin. So, don't hire people you don't trust.

    Hope this helps

    Oli


    "Jane" <Jane@temp.com> wrote in message
    news:1121962373.82930.0@doris.uk.clara.net...
    > Hi
    >
    > Can a windows 2000 domain be set up so that I can allow a user to add
    > computers to teh domain/create shares on the domain, but they cant add
    > other people to administrative group?
    >
    > Regards
    >
    > R.
Ask a new question

Read More

Domain Windows 2000 Microsoft Active Directory Windows