Re: Custom rights
From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 06/15/04
- Next message: ScottS: "issue accessing an AD server"
- Previous message: Crazy Horse: "Re: Prudent or Paranoid?"
- In reply to: From QC: "Custom rights"
- Next in thread: From QC: "Re: Custom rights"
- Reply: From QC: "Re: Custom rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Jun 2004 18:00:43 GMT
OK. Try this.
By default any user can log onto a server other than domain controller. To
allow then to logon to a domain controller give them the logon locally user
right in Domain Controller Security Policy. Note the user possibly could
manage what he needs from another computer through mmc snapins.
To add computers to the domain go to AD Users and Computers. Select view
advanced features. Then select the domain, right click and select delegate
control. The wizard will start. Add your user/group and select add computers
to the domain.
To add users to the domain go to the domain
container/properties/security/advanced/add - select your group/select
"create user objects" and apply. This allows them to create but not delete
users.
To add users to a specific groups. In the properties of the groups go to
security/advanced/add - select your group/select properties at the top
[instead of object]/select "write members" and apply. Of course this will
not work on privileged groups such as administrators.
To reset password for non privileged user accounts. Go to
domain/properties/security/advanced/add - select your users group/select
"apply onto:" user objects/select reset password and apply. By default
priviliged accounts do not inherit permissions to exempt them from
delegation. If you have a user in a priviliged group and you remove that
user, you will have to manually configure permissions on that user object or
select "allow inheritable permissions to propagate from parent".
The above should allow a regular user account in the domain to do what you
want. A regular user can not install most software. Personally I would not
want any regular user to logon to a domain controller but instead they can
use mmc snapins to mange what they need which will prevent them from having
access and installing anyhting on the domain controller. I would also
suggest you consider giving the user/group those powers [except add
computers to the domain] to an Organizational Unit instead and moving the
groups and users into the OU that you want them to manage. --- Steve
"From QC" <From QC@discussions.microsoft.com> wrote in message
news:1827439C-F403-44C3-AE7F-3BEEB8CD2C8B@microsoft.com...
> Hi!
>
> I need your help to determine what kind of permissions I need to give for
a Network
> Technician on the domain:
>
> -Can log on the server
> -Can add computers in a domain
> -Can create a users and add to a specific groups
> -Can reset password
> -Cannot delete users
> -Cannot install applications
>
> This is what a need. I don't want to give user's total access(just the
list higher) but enough to allow him to do his normal job.
>
> I know the custom permissions for a user, but anybody have a kind a recipe
for what I need? If anybody use this kind of user in his network tell me
what you do for this kind of user!
>
> Thanks
>
> Ans.:
>
>
> Look into AD delegation, though you may need to do some custom delegation.
You can
> modify the user right to logon locally to allow a user to logon to a
computer and you
> can give a user the right to create computer objects in the domain or OU
which would
> take care of the first two.
>
> Create a test OU and then select properties delegation to start the
delegation wizard
> to see what the "built in" rights are including resetting passwords and
modifying
> group membership and for the rest you will have to experiment with such as
the
> ability to create a user but not delete one would need to be a custom
delegation for
> creating user objects. The links below may help. --- Steve
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/526.asp
>
> --- refer to the last paragraph
> http://support.microsoft.com/default.aspx?scid=kb;en-us;294952
> -- example of custom delegation.
- Next message: ScottS: "issue accessing an AD server"
- Previous message: Crazy Horse: "Re: Prudent or Paranoid?"
- In reply to: From QC: "Custom rights"
- Next in thread: From QC: "Re: Custom rights"
- Reply: From QC: "Re: Custom rights"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
