Re: Need limited domain admin rights user account.
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/17/05
- Next message: Roger Abell: "Re: Need limited domain admin rights user account."
- Previous message: Roger Abell: "Re: Is NT4 affected by the new MS05-039 Plug-n-Play Vulnerability?"
- In reply to: Mike Bailey: "Re: Need limited domain admin rights user account."
- Next in thread: Mike Bailey: "Re: Need limited domain admin rights user account."
- Reply: Mike Bailey: "Re: Need limited domain admin rights user account."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Aug 2005 20:28:21 -0700
The delegation of control wizard does not add group memberships
to accounts or (by nesting) groups. It only modifies the ACLs on
AD objects in order to effect grants to the group (or, bad form, the
account) to which it is delegating.
Yes, there is both a group for allowing an account to add computers
to the domain, and this can also be done with the delegation of
control wizard. Granting Domain Admin is not needed.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Mike Bailey" <mbailey@beaumontproducts.com> wrote in message news:eS44uPmoFHA.3256@tk2msftngp13.phx.gbl... > I thought I had found a solution to what I wanted by running the > Delegate Control Wizard. I was able to to select the Group I wanted to > use and then gave it the rights to manage user passwords and to add > computers to the Domain. But, when I went back and looked at the actual > rights assigned, it added Account Operators I assumed for the password > management, and then Domain Admins I assume to join computers to the > domain. That put me right back to where I was trying to get away from > which was not making the user a Domain Admin. > > Is there a way to give a Group or User the rights to join a computer to > the domain without making them a Domain Admin? > > Mike > > > Roger Abell wrote: > > Part of what I was trying to say was to first, figure out what it is that > > you do want the custom group to be able to do. > > I guess you do in fact want these accounts to be able to do everything > > except for "can't take ownership of folders, can't change security settings > > on folders, can't change Administrator passwords" > > > > I was thinking that you would have a shorter, and precise list of what > > the account should be able to do, in which case one can work forward > > toward filling those needs with grants and delegations. > > > > Given what you have stated, I do not see a way to do that. > > The first two of the three things that should not be possible I can > > see how to take away from Administrators and instead grant only > > to some new group SpecialAdmins that should keep the capabilities. > > The second would be extremely labor filled to do. > > The last however, not changing pwds of admins (but being able to > > change pwd of other accounts) is not obtainable in local machines > > when working backwards from Administrators. > > > > Anyway, it is vitually certain that restricting Administrators will > > result in some of those admins finding the ways to get around or > > remove the restrictions. > > You need to go the other direction and list all that you do want > > the people to be able to do.
- Next message: Roger Abell: "Re: Need limited domain admin rights user account."
- Previous message: Roger Abell: "Re: Is NT4 affected by the new MS05-039 Plug-n-Play Vulnerability?"
- In reply to: Mike Bailey: "Re: Need limited domain admin rights user account."
- Next in thread: Mike Bailey: "Re: Need limited domain admin rights user account."
- Reply: Mike Bailey: "Re: Need limited domain admin rights user account."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
