Split AD and Server Administration

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

A year and a half ago we split support of Active Directory from the support
of Windows Servers. At the current time we want to remove the Windows Server
Team from Domain Admins and Administrators groups on the domain controllers.
The Windows Server Team (WST) should be able to do all normal tasks like
manage hardware, add/remove apps, run perfmon, change network settings, etc
while only having the ability to add/remove computers from AD.

Is all of this possible??? They would need more permissions than the
default permissions granted to Server Operators. Any try to accomplish this?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

And, if you define a ServerAdmins group, which is a member
of Administrators group on each non-DC server, and you also
grant ServerAdmins the User Right to Add workstations to the
domain, this somehow does not meet your requirements?
What you did not mention, but which I would suggest you also
do, is delegate managing settings in GPOs that are linked to the
OUs that hold the non-DC servers.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Onion" <Onion@discussions.microsoft.com> wrote in message
news:D4F5D073-98D0-40C9-921C-23F1027B586B@microsoft.com...
> A year and a half ago we split support of Active Directory from the
support
> of Windows Servers. At the current time we want to remove the Windows
Server
> Team from Domain Admins and Administrators groups on the domain
controllers.
> The Windows Server Team (WST) should be able to do all normal tasks like
> manage hardware, add/remove apps, run perfmon, change network settings,
etc
> while only having the ability to add/remove computers from AD.
>
> Is all of this possible??? They would need more permissions than the
> default permissions granted to Server Operators. Any try to accomplish
this?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

If you do not need them to do all that on domain controllers then you can
make them local administrators on the computers/servers you want them to
manage and delegate them the permissions to add/remove computers as Roger
stated. However you will not be able to have them do all you describe on
domain controllers without being in the administrators group for the domain,
particularly change network settings and install applications. --- Steve


"Onion" <Onion@discussions.microsoft.com> wrote in message
news:D4F5D073-98D0-40C9-921C-23F1027B586B@microsoft.com...
>A year and a half ago we split support of Active Directory from the support
> of Windows Servers. At the current time we want to remove the Windows
> Server
> Team from Domain Admins and Administrators groups on the domain
> controllers.
> The Windows Server Team (WST) should be able to do all normal tasks like
> manage hardware, add/remove apps, run perfmon, change network settings,
> etc
> while only having the ability to add/remove computers from AD.
>
> Is all of this possible??? They would need more permissions than the
> default permissions granted to Server Operators. Any try to accomplish
> this?
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom