I created an ITS Global Group to allocate its users there, ok
I'm in the
delegation wizard trying to understand how to delegate to
these users the
option * add computers to the network* without allow them be
account
operators. I mean I can't find the right permission that
explicit give me
that option.?? and where I must to spply the delegaion en el
default
computers OU Built-In or not !!
**At the same time I have the same situation with server
operators; I need
to give them the option to be full domain managers in daily
basics without
add them in the gropu domain admins.??
Thanks any help about it !!!
First of all open up the Default Domain Controllers Policy, goto
computer configuration, Windows Settings, Security Settings, Local
policies, User Rights. In there you will find the user right called
"Add workstations to the domain " (top of list somewhere). Double
click it and you probably will see authenticated users listed. Remove
only the authenticated users from the list. By removing the
authenticated you are preventing each and every user on your network
to join up to 10 computers into the domain without you even knowing
it.
Delegating the creation of computers:
* Configure the delegation of control wizard as mentioned in the links
(detailed description on how to)
http://www.mail-archive.com/[email protected]/msg30509.html
http://www.mail-archive.com/[email protected]/msg30514.html
http://www.mail-archive.com/[email protected]/msg27124.html
* Create an separate OU
* Put all computer accounts that you want to be managed into that OU
* Created a group that will be able to add computer accounts and join
them (also as mentioned in the links provided)
* Delegate the add computer account perms and join computers to the
group mentioned
Concerning the server operators... what do you mean with dialy basic
domain tasks? That needs to be clear before a valid answer can be
given to you?
For delegating tasks see the following white papers. They are very
good!
http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
http://www.microsoft.com/downloads/...88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en
A tip for delegation (per organization this may depend, but this
should give you a hint how to do it):
* create separate admin accounts to perform admin tasks
* Define the admin roles in your organization
* Define all the admin tasks performed by those roles in your
organization
* Create an OU for the Admin roles and the admin tasks
* Do not delegate the management of the roles and the tasks to groups
or persons other than the domain admins
* Create an OU for the Admin accounts
* Do not delegate the management of the admin accounts to groups or
persons other than the domain admins
* Create separate OUan OU for the Admin roles
* Setup admin roles represented by a security groups in AD
* Setup all kinds of tasks represented by a security groups in AD
* Give the task groups the appropriate permissions in AD and on
servers through the delegation of control wizard and through GPOs
(restricted groups feature)
* Make the role groups a member of the apropriate tasks
* Make the admin accounts a member of the appropriate roles (most of
the time 1 admin account only has one role assigned)
* Protect the admin accounts OU, the admin roles and tasks OU
Good luck!
