Re: Need limited domain admin rights user account.

From: Mike Bailey (mbailey_at_beaumontproducts.com)
Date: 08/16/05 

Date: Tue, 16 Aug 2005 09:15:48 -0400

I thought I had found a solution to what I wanted by running the
Delegate Control Wizard. I was able to to select the Group I wanted to
use and then gave it the rights to manage user passwords and to add
computers to the Domain. But, when I went back and looked at the actual
rights assigned, it added Account Operators I assumed for the password
management, and then Domain Admins I assume to join computers to the
domain. That put me right back to where I was trying to get away from
which was not making the user a Domain Admin.

Is there a way to give a Group or User the rights to join a computer to
the domain without making them a Domain Admin?

Mike

Roger Abell wrote:
> Part of what I was trying to say was to first, figure out what it is that
> you do want the custom group to be able to do.
> I guess you do in fact want these accounts to be able to do everything
> except for "can't take ownership of folders, can't change security settings
> on folders, can't change Administrator passwords"
>
> I was thinking that you would have a shorter, and precise list of what
> the account should be able to do, in which case one can work forward
> toward filling those needs with grants and delegations.
>
> Given what you have stated, I do not see a way to do that.
> The first two of the three things that should not be possible I can
> see how to take away from Administrators and instead grant only
> to some new group SpecialAdmins that should keep the capabilities.
> The second would be extremely labor filled to do.
> The last however, not changing pwds of admins (but being able to
> change pwd of other accounts) is not obtainable in local machines
> when working backwards from Administrators.
>
> Anyway, it is vitually certain that restricting Administrators will
> result in some of those admins finding the ways to get around or
> remove the restrictions.
> You need to go the other direction and list all that you do want
> the people to be able to do.

Relevant Pages

  • Re: Server Security
    ... In my opinion you want accountability for administrators and each administrator ... "The" administrator account should not be used and given a very long ... make sure that if there is sensitive information on that server, ... > name with domain admin rights on each. ...
    (microsoft.public.win2000.security)
  • Re: Admin accounts for Run As purposes only
    ... the addition of new high-privilege accounts to run when a domain admin logs ... don't have enough servers to achieve a separation. ... At the end of the day, you have to trust your administrators, but it's easy ... > I know we can delegate alot of tasks now such as user account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Admin accounts for Run As purposes only
    ... Administrators group of each server that needs to be managed. ... is this just as strong as a Domain Admin or is it more limited / ... > don't have enough servers to achieve a separation. ... >> I know we can delegate alot of tasks now such as user account ...
    (microsoft.public.windows.server.active_directory)
  • Domain Accounts
    ... >Administrator account to the local admin group in XP Pro? ... >the Domain Admin, I am not able to run certain programs. ... >then into Groups, then into Administrators. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Finding a Hacker
    ... definitely had the capability to obtain the domain admin credentials and may ... If the hacker did get in remotely using an administrator account on the ... Your problem is not restricting remote desktop connections. ...
    (microsoft.public.windows.server.active_directory)