Re: Need limited domain admin rights user account.

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 08/18/05


Date: Wed, 17 Aug 2005 17:48:45 -0700

Sorry Mike, I was being brain-dead in saying there was a group for
adding computers to domain, when I meant that there is a group policy
setting for that, in the computer tree, local policy / user rights section
named Add workstations to domain and into which you may add the
groups whose members will be allow to do this.

I believe that there was something else going on to cause the group
change you see and are attributing to an action of the delegation wiz.
Now, I am not sure what, but it would be first I have heard of that
wiz altering groups rather than ACLs.

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Mike Bailey" <mbailey@beaumontproducts.com> wrote in message
news:uJslVu0oFHA.1204@TK2MSFTNGP12.phx.gbl...
> This is what I did though - I ran the delegation of control wizzard and
> only selected "Reset user passwords and force password change" and "Join
> a computer to the domain".  When I looked at the security properties of
> the group this was just performed on, the Domain Users group and been
added.
>
> You said that there is a group for allowing an account to add computers
> the domain without using the Domain Admin - what is that then?
>
> I have made soem screen shots of the selections I made inthe delegation
> wizard and of the resulting security settings if you would like to see
> them.  They are in a Word doc.
>
> Thanks,
> Mike
>
> Roger Abell wrote:
> > The delegation of control wizard does not add group memberships
> > to accounts or (by nesting) groups.  It only modifies the ACLs on
> > AD objects in order to effect grants to the group (or, bad form, the
> > account) to which it is delegating.
> >
> > Yes, there is both a group for allowing an account to add computers
> > to the domain, and this can also be done with the delegation of
> > control wizard.  Granting Domain Admin is not needed.
> >
>
> -- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4)
> MCDBA "Mike Bailey" <mbailey@beaumontproducts.com> wrote in message
> news:eS44uPmoFHA.3256@tk2msftngp13.phx.gbl...
>
>  >> I thought I had found a solution to what I wanted by running the
>  >> Delegate Control Wizard.  I was able to to select the Group I wanted
to
>  >> use and then  gave it the rights to manage user passwords and to add
>  >> computers to the Domain.  But, when I went back and looked at the
actual
>  >> rights assigned, it added Account Operators I assumed for the password
>  >> management, and then Domain Admins I assume to join computers to the
>  >> domain.  That put me right back to where I was trying to get away from
>  >> which was not making the user a Domain Admin.
>  >>
>  >> Is there a way to give a Group or User the rights to join a computer
to
>  >> the domain without making them a Domain Admin?
>  >>
>  >> Mike
>  >>
>  >>
>  >> Roger Abell wrote:
>  >
>  >>> > Part of what I was trying to say was to first, figure out what it
is
>
> that
>
>  >>> > you do want the custom group to be able to do.
>  >>> > I guess you do in fact want these accounts to be able to do
> everything
>  >>> > except for "can't take ownership of folders, can't change security
>
> settings
>
>  >>> > on folders, can't change Administrator passwords"
>  >>> >
>  >>> > I was thinking that you would have a shorter, and precise list of
> what
>  >>> > the account should be able to do, in which case one can work
forward
>  >>> > toward filling those needs with grants and delegations.
>  >>> >
>  >>> > Given what you have stated, I do not see a way to do that.
>  >>> > The first two of the three things that should not be possible I can
>  >>> > see how to take away from Administrators and instead grant only
>  >>> > to some new group SpecialAdmins that should keep the capabilities.
>  >>> > The second would be extremely labor filled to do.
>  >>> > The last however, not changing pwds of admins (but being able to
>  >>> > change pwd of other accounts) is not obtainable in local machines
>  >>> > when working backwards from Administrators.
>  >>> >
>  >>> > Anyway, it is vitually certain that restricting Administrators will
>  >>> > result in some of those admins finding the ways to get around or
>  >>> > remove the restrictions.
>  >>> > You need to go the other direction and list all that you do want
>  >>> > the people to be able to do.


Relevant Pages

  • Re: Custom rights
    ... create an account he goes thru the process fine until I arrive to the "Create ... > By default any user can log onto a server other than domain controller. ... > To add computers to the domain go to AD Users and Computers. ... >> Look into AD delegation, though you may need to do some custom delegation. ...
    (microsoft.public.win2000.security)
  • Re: Custom rights
    ... Try giving user who is adding account View Only Exchange Administrator ... >> To add computers to the domain go to AD Users and Computers. ... you will have to manually configure permissions on that user object ... >>> Look into AD delegation, though you may need to do some custom ...
    (microsoft.public.win2000.security)
  • Re: Delegate control to user
    ... I'm just wondering why this account ... delegation is in the wrong location? ... >> computers to the domain, ... Is there a permission that I ...
    (microsoft.public.win2000.active_directory)
  • Re: delegate unlock account right
    ... > I went to AD Users and Computers, ... > lets say helpdesk group. ... Hi Mike, ... went into ADUC with the helpdesk accout, checkbox "Account is locked" ...
    (microsoft.public.windows.server.active_directory)
  • Re: Alerting - Malicious software removal tool
    ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
    (microsoft.public.security.virus)