Re: Split AD and Server Administration

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 08/18/05

  • Next message: Gazzeg: "Leicence Key" 
    Date: Thu, 18 Aug 2005 00:43:08 -0500

    If you do not need them to do all that on domain controllers then you can
    make them local administrators on the computers/servers you want them to
    manage and delegate them the permissions to add/remove computers as Roger
    stated. However you will not be able to have them do all you describe on
    domain controllers without being in the administrators group for the domain,
    particularly change network settings and install applications. --- Steve

    "Onion" <Onion@discussions.microsoft.com> wrote in message
    news:D4F5D073-98D0-40C9-921C-23F1027B586B@microsoft.com...
    >A year and a half ago we split support of Active Directory from the support
    > of Windows Servers. At the current time we want to remove the Windows
    > Server
    > Team from Domain Admins and Administrators groups on the domain
    > controllers.
    > The Windows Server Team (WST) should be able to do all normal tasks like
    > manage hardware, add/remove apps, run perfmon, change network settings,
    > etc
    > while only having the ability to add/remove computers from AD.
    >
    > Is all of this possible??? They would need more permissions than the
    > default permissions granted to Server Operators. Any try to accomplish
    > this?

  • Next message: Gazzeg: "Leicence Key"

    Relevant Pages

    • Re: Giving admin rights to a subset of computers
      ... level for the computers you want this to happen on. ... member of" for administrators at the OU level. ... domain assuming that domain controllers are not in the scope of management ...
      (microsoft.public.win2000.security)
    • Re: Remote Desktop Users and Least User Rights
      ... the Administrators group, the list of authorized remote users (My Computer ... Remote tab> Select Remote Users) gets wiped out. ... or you could create a simple startup script assigned via GPO to add them. ... You can create/link a new GPO at the appropriate OU where your computers ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Need help with sites configuration
      ... MCSE, MVP Directory Services ... All domain controllers have a copy of my DNS zone. ... All my clients have statically configured DNS servers 1 and 2 both on ... Production computers have a GPO, setting their DNS servers to 3 and 4 ...
      (microsoft.public.windows.server.active_directory)
    • IE Hangs for non-Admin users
      ... 5000+ Windows XP Service Pack 1 desktops. ... Our Helpdesk reports that by far the biggest call they are getting is to do ... - The problem does not happen on all computers and can't easily be replicated ... - The problem does not occur with users in the Administrators group ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: Rights Issues (i think) with domain pcs
      ... Quickbooks is the same and requires admin privileges on the local ... eh admin group on the local computers. ... I inherited this network also other wise i would have set up ... >> You probably know that a member of the domain administrators grp by ...
      (microsoft.public.windows.server.general)