OU delegate control

W

Wayne

we have OU called "London". We want our london admin to
have administrator right on London computers only. is
there anyway to do that ?
we want him to be administrator of all pcs and servers
(plus a domain controller) in london. if we give him full
controll on the London OU, he can creat users, change
password, etc on everything under London OU. but, that
doesn't mean his ID will be local administrator on these
PCs. and since all DCs share AD database, there's no way
to just give him local admin right on that DC only.

without making a child domain for "London", is that any
way to give him administrator right to all London
machines ?

thanks,
 
T

Tomasz Onyszko

Wayne said:
we have OU called "London". We want our london admin to
have administrator right on London computers only. is
there anyway to do that ?
we want him to be administrator of all pcs and servers
(plus a domain controller) in london. if we give him full
controll on the London OU, he can creat users, change
password, etc on everything under London OU. but, that
doesn't mean his ID will be local administrator on these
PCs. and since all DCs share AD database, there's no way
to just give him local admin right on that DC only.
Click to expand...

Few topic earlier the idea of "rectricted groups" was discussed
http://support.microsoft.com/?id=228496
This is the way how You can put this users into local administrators
group on workstations and servers.

I don't know what You mean when You are saying "(plus a domain
controller)" - you want him to have full admin rights on domain
controller and domain, or just on the server itslef (OS, hardware and so
on) - in this second case put this users into "Server operators"
built-in group not in the administrators or domain admin.

For creatin usersm changing passwords and similiar tasks delegate proper
tasks for this user
 
S

Steven L Umbach

No, what you want to do is not possible. You can not make a domain user
administrator of only one domain controller in the domain. You could do
everything but that. --- Steve
 
P

ptwilliams

You can make a user an administrator of only DCs by adding that user to the
domain local administrators group (not domain admins). But as Steve said,
that cannot apply to a single DC - that applies to all DCs (but nothing
else).

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


No, what you want to do is not possible. You can not make a domain user
administrator of only one domain controller in the domain. You could do
everything but that. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Listing all the users in a group 4
Move tree error 1
Win2000 DC logon with domain admin account problem 3
Regarding OU 9
OU Structure 6
Westminster 28th March 2017 7
Restricted Groups 2
Restricted groups 1

Top