Re: Need limited domain admin rights user account.
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: Wed, 17 Aug 2005 17:48:45 -0700
Sorry Mike, I was being brain-dead in saying there was a group for
adding computers to domain, when I meant that there is a group policy
setting for that, in the computer tree, local policy / user rights section
named Add workstations to domain and into which you may add the
groups whose members will be allow to do this.
I believe that there was something else going on to cause the group
change you see and are attributing to an action of the delegation wiz.
Now, I am not sure what, but it would be first I have heard of that
wiz altering groups rather than ACLs.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "Mike Bailey" <firstname.lastname@example.org> wrote in message news:uJslVu0oFHA.1204@TK2MSFTNGP12.phx.gbl... > This is what I did though - I ran the delegation of control wizzard and > only selected "Reset user passwords and force password change" and "Join > a computer to the domain". When I looked at the security properties of > the group this was just performed on, the Domain Users group and been added. > > You said that there is a group for allowing an account to add computers > the domain without using the Domain Admin - what is that then? > > I have made soem screen shots of the selections I made inthe delegation > wizard and of the resulting security settings if you would like to see > them. They are in a Word doc. > > Thanks, > Mike > > Roger Abell wrote: > > The delegation of control wizard does not add group memberships > > to accounts or (by nesting) groups. It only modifies the ACLs on > > AD objects in order to effect grants to the group (or, bad form, the > > account) to which it is delegating. > > > > Yes, there is both a group for allowing an account to add computers > > to the domain, and this can also be done with the delegation of > > control wizard. Granting Domain Admin is not needed. > > > > -- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) > MCDBA "Mike Bailey" <email@example.com> wrote in message > news:eS44uPmoFHA.firstname.lastname@example.org... > > >> I thought I had found a solution to what I wanted by running the > >> Delegate Control Wizard. I was able to to select the Group I wanted to > >> use and then gave it the rights to manage user passwords and to add > >> computers to the Domain. But, when I went back and looked at the actual > >> rights assigned, it added Account Operators I assumed for the password > >> management, and then Domain Admins I assume to join computers to the > >> domain. That put me right back to where I was trying to get away from > >> which was not making the user a Domain Admin. > >> > >> Is there a way to give a Group or User the rights to join a computer to > >> the domain without making them a Domain Admin? > >> > >> Mike > >> > >> > >> Roger Abell wrote: > > > >>> > Part of what I was trying to say was to first, figure out what it is > > that > > >>> > you do want the custom group to be able to do. > >>> > I guess you do in fact want these accounts to be able to do > everything > >>> > except for "can't take ownership of folders, can't change security > > settings > > >>> > on folders, can't change Administrator passwords" > >>> > > >>> > I was thinking that you would have a shorter, and precise list of > what > >>> > the account should be able to do, in which case one can work forward > >>> > toward filling those needs with grants and delegations. > >>> > > >>> > Given what you have stated, I do not see a way to do that. > >>> > The first two of the three things that should not be possible I can > >>> > see how to take away from Administrators and instead grant only > >>> > to some new group SpecialAdmins that should keep the capabilities. > >>> > The second would be extremely labor filled to do. > >>> > The last however, not changing pwds of admins (but being able to > >>> > change pwd of other accounts) is not obtainable in local machines > >>> > when working backwards from Administrators. > >>> > > >>> > Anyway, it is vitually certain that restricting Administrators will > >>> > result in some of those admins finding the ways to get around or > >>> > remove the restrictions. > >>> > You need to go the other direction and list all that you do want > >>> > the people to be able to do.