Solved

Grant Permissions to Create/Delete or Modify Computer Objects

Posted on 2006-06-09
5
1,182 Views
Last Modified: 2011-10-03
We have a tech helping us out at the office and he will be required to join some machines to the domain. We have granted him both the "Create Computer Objects" and the "Delete Computer Objects" permissions so that he can continue joining computers to the domain. The problem I'm having now is that he gets a permissions error when he simply tries to rename a computer already joined to the domain. I don't see any "Modify Computer Objects" permissions. As a workaround he has to join the computer to a workgroup, then back to the domain. We'd like to be able to just give him the ability to rename the computer, though...so how do I grant this privelage?
0
Comment
Question by:DVation191
5 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16870608
renaming a computer is a tool delegated to the administrator of the machine, you can try the power users group but i am not sure if that will even allow i
0
 
LVL 2

Expert Comment

by:krais99
ID: 16871580
There is a default group in the domain called "Account Operators"  

Excerpt from Microsoft:
"Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution."

I'm not sure how much freedom you wish this tech to be able to have, as this group would also give him access to users accounts and user groups with the exception of the domain admins.

Todd
0
 
LVL 20

Author Comment

by:DVation191
ID: 16872298
That *may* be the best solution. I would think you should be able to add someone to that group and still explicitly deny the person the ability to modify user accounts, right?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 16872374
Create a Security Group just for this person.
On the Properties of the domain (or a sub OU that contains all the computer accounts), select the Security tab.
Add this new Security Group.
Select the Advanced button.
Double click the new security group to open the Special Permissions applet.
Select Clear All.
In the dropdown, select Computer Objects
In the permissions, select Full Control.

This should give the new Security Group full control of all computer accounts.

0
 
LVL 20

Author Comment

by:DVation191
ID: 16872479
Perfect! Thanks Netman66.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question