Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Active Directory delegation 3

Status
Not open for further replies.
windowsfan

windowsfan

IS-IT--Management
Jan 26, 2007
237
US
What rights do I need to give to group of users to
create users, exchange mail box,
change group membership(but cannot change domain admin group membership ),
delete users, computers (not server)
Move computers / users between OU's
 
Sort by date Sort by votes
What does the documentation say?
[google]Windows delegate permissions[/google]
[google]exchange delegate permissions[/google]

"How do I.." questions are almost always answered quickly via a search.

This is considered an intelligent forum site. You are expected to do research on your own, and ask questions related to problems.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
I have configured delegation but, have couple question on how can I?
allow users to change group membership(but cannot change domain admin group membership ),
and
what permission is required to allow users to move computer and users object between OU's
 
Upvote 0 Downvote
If someone has the ability to edit group membership, they can add/remove any group, including domain admins

they need write access to all related OUs. If you setup your objects in a top-down method, delegate at the top level the appropriate rights.

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Upvote 0 Downvote
so there is no way I can restrict non domain admin users making changes to domain admin/ ent adm and administrators group?
 
Upvote 0 Downvote
If you are delegating rights on an OU and the domain admin group does not exist within that OU then you don't have to worry about it because the are/should be only delegated to that one OU, it's top down as mentioned before.

I would get on a test server and play with the delegation rights.
 
Upvote 0 Downvote
Just wanted to add a "gotcha" which I got caught out on once. When you add a user to a group, you're changing both the user & the group - so if you want somebody to be able to add users to a group, you'll need to make sure the operator has the appropriate permissions to those user accounts.

I think 58sniper & Rockstar101 have already answered your other questions.

Good Luck :)

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Upvote 0 Downvote
How can a user who is not domain admin (Field Engineers) can join Pc's to domain? I do not want to give add computer rights to field engineer at root level

Do I have other option other than using
redircmp ou=mycomputers,DC=corp,dc=com (Are there any Cons using this command?)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
146
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
764
goombawaho
goombawaho
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
121
geneg28
geneg28
axilleas
  • Locked
  • Question
Windows 2012 R2 Active directory problem after applying GPO
Replies
7
Views
242
technome
technome
mkrausnick
  • Locked
  • Question
Can't write to folder even though Active Directory effective permissions shows full control
Replies
1
Views
120
mkrausnick
mkrausnick

Part and Inventory Search

Sponsor

Back
Top