Re: Custom rights
From: From QC (FromQC_at_discussions.microsoft.com)
Date: Tue, 15 Jun 2004 11:23:01 -0700
Thank you Steven!
This is what I need!
"Steven L Umbach" wrote:
> OK. Try this.
> By default any user can log onto a server other than domain controller. To
> allow then to logon to a domain controller give them the logon locally user
> right in Domain Controller Security Policy. Note the user possibly could
> manage what he needs from another computer through mmc snapins.
> To add computers to the domain go to AD Users and Computers. Select view
> advanced features. Then select the domain, right click and select delegate
> control. The wizard will start. Add your user/group and select add computers
> to the domain.
> To add users to the domain go to the domain
> container/properties/security/advanced/add - select your group/select
> "create user objects" and apply. This allows them to create but not delete
> To add users to a specific groups. In the properties of the groups go to
> security/advanced/add - select your group/select properties at the top
> [instead of object]/select "write members" and apply. Of course this will
> not work on privileged groups such as administrators.
> To reset password for non privileged user accounts. Go to
> domain/properties/security/advanced/add - select your users group/select
> "apply onto:" user objects/select reset password and apply. By default
> priviliged accounts do not inherit permissions to exempt them from
> delegation. If you have a user in a priviliged group and you remove that
> user, you will have to manually configure permissions on that user object or
> select "allow inheritable permissions to propagate from parent".
> The above should allow a regular user account in the domain to do what you
> want. A regular user can not install most software. Personally I would not
> want any regular user to logon to a domain controller but instead they can
> use mmc snapins to mange what they need which will prevent them from having
> access and installing anyhting on the domain controller. I would also
> suggest you consider giving the user/group those powers [except add
> computers to the domain] to an Organizational Unit instead and moving the
> groups and users into the OU that you want them to manage. --- Steve
> "From QC" <From QC@discussions.microsoft.com> wrote in message
> > Hi!
> > I need your help to determine what kind of permissions I need to give for
> a Network
> > Technician on the domain:
> > -Can log on the server
> > -Can add computers in a domain
> > -Can create a users and add to a specific groups
> > -Can reset password
> > -Cannot delete users
> > -Cannot install applications
> > This is what a need. I don't want to give user's total access(just the
> list higher) but enough to allow him to do his normal job.
> > I know the custom permissions for a user, but anybody have a kind a recipe
> for what I need? If anybody use this kind of user in his network tell me
> what you do for this kind of user!
> > Thanks
> > Ans.:
> > Look into AD delegation, though you may need to do some custom delegation.
> You can
> > modify the user right to logon locally to allow a user to logon to a
> computer and you
> > can give a user the right to create computer objects in the domain or OU
> which would
> > take care of the first two.
> > Create a test OU and then select properties delegation to start the
> delegation wizard
> > to see what the "built in" rights are including resetting passwords and
> > group membership and for the rest you will have to experiment with such as
> > ability to create a user but not delete one would need to be a custom
> delegation for
> > creating user objects. The links below may help. --- Steve
> > --- refer to the last paragraph
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;294952
> > -- example of custom delegation.