delegating administrative access

R

richierich

I want to delegate admin tasks to a jr admin. I want him specifically to be
able to rename computer objects in my domsin. what settings do I need to
check to allow this? I did the delegation wizard, but it is not that
granular in its use.

-thanks
 
G

Guest

Load ADU&C (dsa.msc) and select Advanced Features from the View drop-down menu.

Then right-click the container or OU that you wish to configure the
delegation on and choose properties. In the properties tab, choose Security
and then Advanced. In the Access Control Settings for <OU Name> choose add,
add the user name, and then in the Permission Entry for <OU Name> select the
following Allow permissions:

Create Computer Objects
Delete Computer Objects


Hope this helps,

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
 
R

richierich

funny, I did that and it did not work. I thought that would be it too.
mmmmm. anything else to look at?
 
G

Guest

That's it. Although he'll also need read, but should have that by default.

What isn't working if you've done this? What error are you getting?

Start by checking that the DHCP Client Service is rset to automatically start
and is running on the DC; that the DNS zone accepts dynamic updates; and that
the DC is pointing to itself for DNS.

Once you've done this, restart netlogon.

After restarting netlogon, run netdiag /test:dns.

Run the tests again.

The missing SPNs is worrying; however, we have to make sure DNS is working
correctly before we can further troubleshoot anything else...

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
 
R

richierich

No, your direction is not correct. The question is, what permissions are
needed to rename a computer object in AD? I too thought add/del would work,
but it stil gives an access denied when attempting to rename a computer
already in AD.

-thanks
 
P

ptwilliams

The user also needs administrative permissions and rights on the source
computer.

So, the junior admins needs the create and delete computer object permission
on the OU that the computer is in, and needs to be a member of the local
administrators group on the PC that is being renamed.


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


No, your direction is not correct. The question is, what permissions are
needed to rename a computer object in AD? I too thought add/del would work,
but it stil gives an access denied when attempting to rename a computer
already in AD.

-thanks
 
R

richierich

I guess then I need to create a security group called Jr Admin or something
like that, script that out to all systems in the domain, then he should be
able to chaneg the name?
 
P

ptwilliams

Sounds like a plan.

Use either the Restricted Groups function of GPO; or

net localgroup administrators /add domainName\userName in a startup script

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


I guess then I need to create a security group called Jr Admin or something
like that, script that out to all systems in the domain, then he should be
able to chaneg the name?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

delegation admin permissions 1
Delegating Control... 7
Delegating Rights 1
Delegating Administration 1
Delegation 1
Delegating Administrative rights to OU's 5
Delegating the right to force AD Site replication 6
System admin 2

Top