AD permission for admins

J

jcharth

Hello can anyone summarize what i should do to grant permissions to
remote admins to manager their own OUs, their computer and users under
their own OUs and their remote servers (remote domain cotrollers)
without granting access to all resources in AD. Right now i have 5
admin accounts with full access(enterprise and domain admin) I would
like to change that but I would like them to be able to add new
computers to their domains. thanks
 
P

ptwilliams

Hello can anyone summarize what i should do to grant permissions to remote
admins to manager their own OUs, their computer and users under their own
OUs and their remote servers (remote domain controllers) without granting
access to all resources in AD.
Click to expand...

Delegate permissions to the OU for the tasks you wish to allow, e.g. change
password, create users, delete users, etc.

If you wish to make these users administrators over the computers under this
OU create a GPO and link it to the OU and either use Restricted groups or a
startup script to add a group that these users belong to, to the local
administrator group on the clients.

I recommend you search for, and download the MS Delegation white paper AND
it's appendix.

Right now i have 5 admin accounts with full access(enterprise and domain
admin) I would like to change that but I would like them to be able to add
new computers to their domains. thanks
Click to expand...

By default a user can add 10 machines to the domain. You can increase this
value or grant the group that these users belong to the add computers to the
domain right (via GPO of course). There's a third option (delegating create
and modify computers) but that won't work without additional intervention,
so is beyond the scope of this question.
 
J

jcharth

I forgot to ask, do i have to give the user login rights to their
remote servers or is there something like Active Directory Users and
computer for xp?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
AD design question. 2 Domains vs. 2 OUs 2
School Design for AD 14
GPO and Add Computer to Domain 1
Migrating from multiple child domain environment to single domain with OUs. What's correct method? 5
AD design question....again 4
Enterprise Admins 2
Domain Rights 1

Top