Split AD and Server Administration

G

Guest

A year and a half ago we split support of Active Directory from the support
of Windows Servers. At the current time we want to remove the Windows Server
Team from Domain Admins and Administrators groups on the domain controllers.
The Windows Server Team (WST) should be able to do all normal tasks like
manage hardware, add/remove apps, run perfmon, change network settings, etc
while only having the ability to add/remove computers from AD.

Is all of this possible??? They would need more permissions than the
default permissions granted to Server Operators. Any try to accomplish this?
 
R

Roger Abell

And, if you define a ServerAdmins group, which is a member
of Administrators group on each non-DC server, and you also
grant ServerAdmins the User Right to Add workstations to the
domain, this somehow does not meet your requirements?
What you did not mention, but which I would suggest you also
do, is delegate managing settings in GPOs that are linked to the
OUs that hold the non-DC servers.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
Onion said:
A year and a half ago we split support of Active Directory from the support
of Windows Servers. At the current time we want to remove the Windows Server
Team from Domain Admins and Administrators groups on the domain controllers.
The Windows Server Team (WST) should be able to do all normal tasks like
manage hardware, add/remove apps, run perfmon, change network settings, etc
while only having the ability to add/remove computers from AD.

Is all of this possible??? They would need more permissions than the
default permissions granted to Server Operators. Any try to accomplish
Click to expand...
this?
 
S

Steven L Umbach

If you do not need them to do all that on domain controllers then you can
make them local administrators on the computers/servers you want them to
manage and delegate them the permissions to add/remove computers as Roger
stated. However you will not be able to have them do all you describe on
domain controllers without being in the administrators group for the domain,
particularly change network settings and install applications. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Domain Controller Administration 4
Terminal Services (Administration mode) Security 3
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
change permissions 1
Changing process priorities of normal users 3
Will Win2K AD work with Win2K3 AD? 1
DHCP Delegation 2
granting full access to a server 2

Top