Regarding OU

[Srinivas Acharya]

Hi All,
I am going to create OU and going to add some of the
computers of the domain to that. I delegate admin
previleges to some body for that OU. I wanted to know
whether that person can have admin previleges for those
computers?. Whether he can administer those PCs. HE is not
in domain admins and local admins group.

Your thouhts on this will be helpful.

Regards,
Srinivas Acharya

 

[Tomasz Onyszko]

Hi All,
I am going to create OU and going to add some of the
computers of the domain to that. I delegate admin
previleges to some body for that OU. I wanted to know
whether that person can have admin previleges for those
computers?. Whether he can administer those PCs. HE is not
in domain admins and local admins group.

At the OU level You can assign GPO and set Restricted groups to add this
person to the Power Users or Administrators group on the machines
grouped in this OU

 

[Nathan]

-----Original Message-----
Hi All,
I am going to create OU and going to add some of the
computers of the domain to that. I delegate admin
previleges to some body for that OU.

This user now has AD rights to AD objects within this OU
only. He does not have any access to the machines that
are assigned in this OU unless he belongs to a AD group
that is listed in the LOCAL groups on these workstations.

Create an admin group for the OU and add it to the local
groups as needed.

 

[Srinivas Acharya]

Hi,
Yo mean to say that delegation is restricted to directory
only and that person will not be having admin prvileges on
that PC until he belongs to domain admins group?.
In that case what is the use of delegation?.

Regards,
Srinivas Acharya

 

[srinivas Acharya]

Hi,
Yo mean to say that delegation is restricted to directory
only and that person will not be having admin prvileges on
that PC until he belongs to domain admins group?.
In that case what is the use of delegation?.

Regards,
Srinivas Acharya

 

[Alexander Suhovey]

In that case what is the use of delegation?.
The use of delegation is that administrators can delegate particular
administrative tasks to ordinary user accounts WITHOUT making those
accounts domain/local admins. Basically (as I understand) all delegation
does is makes apropriate changes in domain object's ACLs.

Al.

 

[Srinivas Acharya]

Hi,
Thanks for replying.
Can you just tell me what kind of administrative tasks you
are refering to.

Regards,
Srinivas Acharya

 

[Alexander Suhovey]

Managing domain user and computer accounts, GPOs, DNS and DHCP servers...
that kind of stuff. You can delegate most of (if not all) Active Directory
admininstration tasks.
You may wish to read AD Delegation Whitepaper for more details:
http://www.microsoft.com/technet/pr...logies/directory/activedirectory/actdid1.mspx

Al.

 

[Srinivas Acharya]

Hi,
Does it include administering of windows 2000 clients. Can
the common user who is not domain admin and local admin can
become administrator for particular OU and can administer
the that PC locallly?.

Regards,
Srinivas Acharya

 

[ptwilliams]

I think making a user a local admin is the best way to do this. You can do
this via restricted groups in the GPO.

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________


Hi,
Does it include administering of windows 2000 clients. Can
the common user who is not domain admin and local admin can
become administrator for particular OU and can administer
the that PC locallly?.

Regards,
Srinivas Acharya