change permissions

[Guest]

Hello all,

I need to set permissions for users so that they are removed from the domain
admins group, but still retain permissions such as having access to change
passwords, add printers, and add computers to the domain. We are currently
running a Windows 2000 domain in native mode.

Whats the best way to achieve this?

Thanks for your time

Sincerely,

Greg

 

[Steven L Umbach]

You want to look at Active Directory delegation to allow a regular user to
change passwords on non privileged accounts and add computers to the domain.
You can select the container you want to do the delegation on, right click,
and select delegate to start the delegation Wizard which will then give you
some generic choices or you can select advanced/custom if you need to fine
tune permissions for AD object types. The user/group needs the permissions
to create computer accounts to add computers to the domain. As far as
printers if you are talking about printers on domain computers you can add
the users/group to the local administrators or possibly power users group if
need be on the domain workstations which can be done with a Group Policy
startup script or using Group Policy Restricted Groups if you need to do it
for a large number of domain computers. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html ---
Group Policy Restricted Groups which has two distinct modes. One will
replace/enforce current group membership and one will add to it.
http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
--- AD delegation white paper of which most also applies to Windows 2000.