Re: create support admin user
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/17/05
- Next message: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Previous message: DebraH: "create support admin user"
- In reply to: DebraH: "create support admin user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Mar 2005 13:04:03 -0600
Any user can be given the right to logon to a domain controller by
configuring the "logon locally" user right in Domain Controller Security
Policy. Then you can add the user to privileged groups shown in Active
Directory Users and Computers such as DHCP administrators and DnsAdmins. As
far as troubleshooting applications they will have limited ability without
being an administrator but you can test that out to see if it suits your
needs by using privileged groups. Server operators is another group that you
may consider that will give the user more power but the user can then create
and delete shares but will not be able to create/delete OU's or manage
administrator accounts. --- Steve
"DebraH" <DebraH@discussions.microsoft.com> wrote in message
news:E8501DBE-5CD5-4726-9FCF-A1A099473F7B@microsoft.com...
> How do I make someone an admin but take away their rights to making
> changes
> within Active Directory? I would like to give a support user the ability
> to
> logon to Domain Controllers to troubleshoot DHCP, DNS and some
> applications
> that run on the server, but I do not want them to have the ability to make
> changes to Active Directory (create or delete OUs, delete admins etc).
>
> Thanks
> dhodgkins61@comcast.net
>
- Next message: /.dz: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- Previous message: DebraH: "create support admin user"
- In reply to: DebraH: "create support admin user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
