Re: OU Delegation

From: Herb Martin (news_at_LearnQuick.com)
Date: 12/17/04

• Next message: Fred Yarbrough: "Re: OU Delegation"
• Previous message: Desmond Lee: "RE: OU Delegation"
• In reply to: Fred Yarbrough: "OU Delegation"
• Next in thread: Fred Yarbrough: "Re: OU Delegation"
• Reply: Fred Yarbrough: "Re: OU Delegation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 17 Dec 2004 14:44:03 -0600

"Fred Yarbrough" <fcyarbrough@yahoo.com> wrote in message
news:O5XXbtF5EHA.1300@TK2MSFTNGP14.phx.gbl...
>
>
> PROBLEM:
> I need to allow their onsite admin to be able to administrator their OU.

> They need to be able to login to the DC and do things and to perform basic
> administrator functions for their site. I added this user to the Delegate
> Control function for their OU but it does not seem to allow them to login
to
> the DC.

Usually that isn't directly related to OU delegation (which
allows for adding/removing/resetting accounts/passwords
in the OU but not necessarily logging onto the computers.

To allow Logon to the DC, you will have to either add the
user to a group with this privilege (e.g., Domain Admins,
Server Operators, etc.) or create a group for the explicit
purpose and give it the necessary privileges.

> Is there something special that I must do to permit this? The DC
> is also used for some minor file sharing. In the past this admin was just
> granted Domain Administrator rights but I am trying to reduce their
> privileges to only allow them to administrator their own OU.

Delegating the OU (control of the AD objects) and making
someone a server or even domain admin are two separate
issues.

-- 
Herb Martin
>
> Thanks,
> Fred
>
>

---

• Next message: Fred Yarbrough: "Re: OU Delegation"
• Previous message: Desmond Lee: "RE: OU Delegation"
• In reply to: Fred Yarbrough: "OU Delegation"
• Next in thread: Fred Yarbrough: "Re: OU Delegation"
• Reply: Fred Yarbrough: "Re: OU Delegation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: OU Delegation ... "Fred Yarbrough" wrote in message ... > I need to allow their onsite admin to be able to administrator their OU. ... > administrator functions for their site. ... (microsoft.public.win2000.active_directory) Re: Alternative to Windows Explorer ... One drawback if you use that "runas" approach then you really won't know ... Administrator versus their using their actual account. ... admin, a variation of their normal account. ... > pen testing experience in our state of the art hacking lab. ... (Security-Basics) Re: Impact of removing administrative rights in an enterprise running XP ... The user probably had to be an administrator to get the virus in the ... You just apply the patch as an admin, ... Regardless, to speak more to the OP, yes, your support model will most ... Impact of removing administrative rights in an enterprise ... (Focus-Microsoft) Re: firewall on budget ? ... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ... (microsoft.public.windowsxp.security_admin) Re: Keep admins off of client machines ... The 'Domain Administrator' account is ... > administration person from the domain admin account is complex and fraught ... > change the Domain Administrator password. ... > it takes a thorough understanding of such priveleges to do so. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)