Re: Delegate Control to rename and add/remove computer from domain

"Flash3200" <Flash3200@xxxxxxxxx> wrote in message
news:1172610328.302714.277520@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I want to delegate control to our Desktop Support group to be able to
add computers to the domain and also be able to rename computers
already on the domain. It is as easy as just giving them the rights
to create objects and delete objects for the computer objects? There
are a ton of possibilities of what they can do to computer objects but
most don't appear to apply. Anyone gone through this already?


No, it is not quite that simple.

(First, as an aside, I would highly recommend that you adopt a
practice of defining groups to which delegations are made, and
name them well so that they are clearly existing for use only in
that (set of) delegation(s). Then, put the groups of those that
should hold the delegation in this new delegation group. It can
become very, very difficult to unravel delegations in the grants
on the delegated objects at a later date if you do not approach
this with a plan that you do keep using consistently).

Why is it not that simple?
For example, computer objects get created in a default location
(which, if the domain is at W2k3 functional mode you can adjust)
and they may need to be granted ability to move computer objects
from there to OUs, or between OUs, etc.. Yes, you could require
that they precreate computer objects in the correct OUs, but believe
me, that will not always happen.
You said delegating create/delete for computer objects is planned.
Did you mean in the entire domain ? If so you just gave them the
ability to delete a DC, or other server. If not, then the issues that
I mentioned before come into play, and you make the delegations
at specific OUs.
What about rename? Well, rename also involves letting the actual
computer know about this, so are they also admins on the machines
whose objects are involved in the rename?


.

Relevant Pages

  • Re: Delegate Control to rename and add/remove computer from domain
    ... to create objects and delete objects for the computer objects? ... very difficult to unravel delegations in the grants ... What about rename? ... needed some other delegated rights on those OUs to do so. ...
    (microsoft.public.windows.server.security)
  • Re: Delegate Control to rename and add/remove computer from domain
    ... to create objects and delete objects for the computer objects? ... very difficult to unravel delegations in the grants ... What about rename? ... needed some other delegated rights on those OUs to do so. ...
    (microsoft.public.windows.server.security)
  • Re: Delegate Control to rename and add/remove computer from domain
    ... to create objects and delete objects for the computer objects? ... very difficult to unravel delegations in the grants ... What about rename? ... needed some other delegated rights on those OUs to do so. ...
    (microsoft.public.windows.server.security)
  • Re: delegating administrative access
    ... what permissions are needed to rename a computer object in AD? ... I too thought add/del would work, but it stil gives an access denied when attempting to rename a computer already in AD. ... >>> Create Computer Objects ... >>>> I want to delegate admin tasks to a jr admin. ...
    (microsoft.public.win2000.active_directory)