Re: Admin Privs without being in the administrator group
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/03/05
- Next message: Roger Abell: "Re: NT4 user account recovery"
- Previous message: Jon: "NT4 user account recovery"
- In reply to: geekmirth: "Re: Admin Privs without being in the administrator group"
- Next in thread: geekmirth: "Re: Admin Privs without being in the administrator group"
- Reply: geekmirth: "Re: Admin Privs without being in the administrator group"
- Reply: geekmirth: "Re: Admin Privs without being in the administrator group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 3 Jun 2005 07:22:44 -0700
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "geekmirth" <geekmirth@_-~nospam~-_rebeloutpost0com> wrote in message news:b9ednescHdqIxj3fRVn-tQ@comcast.com... > It's the AD objects I don't want them to have access to. What I'm looking > for is an account that do maintenance type of work on an AD DC without being > able to create/modify/delete OUs,users, resources... Basically, an > individual that could, reboot the system, install drivers, install patches, > create shares... That's about it. > Well, for some of the there is the group named Server Operators, but not for the installs, etc. for which you could consider the group Administrators. > If there was a "workstaion" equivalent administrator group I would just add > them to that. But, because it's a DC, this does exist. ?? you do not have an Administrators group ?? Look in Builtin container > I tried to set it up > so they could simply open the Add Hardware control panel, but I can't even > get that. I'm beginning to believe that you have to be a member of the > administrators group to do this regardless of whether or not you have the > Load and Unload driver user right. > > G > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message > news:%23E5PMO$ZFHA.2940@tk2msftngp13.phx.gbl... > > Just what the world are you actually wanting them to be able to do? > > > > Reread your subject and think - contradiction. > > > > You can make them members of Administrators in the domain, or > > of Domain Admins, with the second having more grants on the objects > > composing AD and having by default Administrators membership on > > all machines in the domain. You can then try to cripple some of the > > things. Or you could take a Users or Power Users member and > > then spend endless time granting on thousands of AD objects, etc.. > > > > With the first you would have something that is reduced from the > > admin membership given only in its initial, but changable, behaviors. > > With the second you would just end up with a mess, assuming there > > were no errors made during the ACL changes needed all over the place. > > > > -- > > Roger Abell > > Microsoft MVP (Windows Server: Security) > > MCDBA, MCSE W2k3+W2k+Nt4 > > "geekmirth" <geekmirth@_-~nospam~-_rebeloutpost0com> wrote in message > > news:AMmdnRu7lJhS6QLfRVn-rw@comcast.com... > > > Hello all, > > > > > > I'm looking to see if something is even possible. I have a user, and I > > > want > > > to give them admin privileges to an AD Domain Controler, but I don't > want > > > them to be able make changes in the domain (add users, delete users, > grant > > > user rights...) > > > > > > Is this possible? So far, I've given the user full control of the hard > > > drive > > > and registry, as well as granting them every user right that the > > > administrators group is a member of? > > > > > > Is there something I'm missing, or is it just not possible. as it is, > I'm > > > working with a simple virtual machine, so I'm open to just about any > > > suggestion. > > > > > > Thanks in advance for any assistance. > > > G > > > > > > > > > > > >
- Next message: Roger Abell: "Re: NT4 user account recovery"
- Previous message: Jon: "NT4 user account recovery"
- In reply to: geekmirth: "Re: Admin Privs without being in the administrator group"
- Next in thread: geekmirth: "Re: Admin Privs without being in the administrator group"
- Reply: geekmirth: "Re: Admin Privs without being in the administrator group"
- Reply: geekmirth: "Re: Admin Privs without being in the administrator group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
