Re: change permissions

From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 12 Jul 2006 20:25:49 -0500

You want to look at Active Directory delegation to allow a regular user to
change passwords on non privileged accounts and add computers to the domain.
You can select the container you want to do the delegation on, right click,
and select delegate to start the delegation Wizard which will then give you
some generic choices or you can select advanced/custom if you need to fine
tune permissions for AD object types. The user/group needs the permissions
to create computer accounts to add computers to the domain. As far as
printers if you are talking about printers on domain computers you can add
the users/group to the local administrators or possibly power users group if
need be on the domain workstations which can be done with a Group Policy
startup script or using Group Policy Restricted Groups if you need to do it
for a large number of domain computers. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html ---
Group Policy Restricted Groups which has two distinct modes. One will
replace/enforce current group membership and one will add to it.
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
--- AD delegation white paper of which most also applies to Windows 2000.

"Greg" <Greg@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B2052CAB-1481-4B3D-832D-1ADE6F54452A@xxxxxxxxxxxxxxxx

Hello all,

I need to set permissions for users so that they are removed from the
domain
admins group, but still retain permissions such as having access to change
passwords, add printers, and add computers to the domain. We are currently
running a Windows 2000 domain in native mode.

Whats the best way to achieve this?

Thanks for your time

Sincerely,

Greg

Prev by Date: Re: users can't change password
Next by Date: Re: Remaining NT vulnerabilities
Previous by thread: delayed Reboots after security patch application
Index(es):
- Date
- Thread

Relevant Pages

Re: Custom rights
... Try giving user who is adding account View Only Exchange Administrator ... >> To add computers to the domain go to AD Users and Computers. ... you will have to manually configure permissions on that user object ... >>> Look into AD delegation, though you may need to do some custom ...
(microsoft.public.win2000.security)
Re: Custom rights
... create an account he goes thru the process fine until I arrive to the "Create ... > By default any user can log onto a server other than domain controller. ... > To add computers to the domain go to AD Users and Computers. ... >> Look into AD delegation, though you may need to do some custom delegation. ...
(microsoft.public.win2000.security)
Re: Delegation Wizard
... > computers OU Built-In or not!! ... * Configure the delegation of control wizard as mentioned in the links ... * create separate admin accounts to perform admin tasks ... * Create an OU for the Admin roles and the admin tasks ...
(microsoft.public.win2000.active_directory)
RE: Delegation of duties to junior administrator
... This will help you to be able to customize the delegation ... define templates for use in this wizard. ... That gives members in this group, full admin ... With computers being separate from servers, this only allows the members to ...
(microsoft.public.windows.server.active_directory)
Re: Delegating permission to add computers to the domain
... Delegation is needed, not on the Computers container. ... I don't believe sysprep joins machines to OUs where groups have been ...
(microsoft.public.windows.server.active_directory)