DVation191
asked on
Grant Permissions to Create/Delete or Modify Computer Objects
We have a tech helping us out at the office and he will be required to join some machines to the domain. We have granted him both the "Create Computer Objects" and the "Delete Computer Objects" permissions so that he can continue joining computers to the domain. The problem I'm having now is that he gets a permissions error when he simply tries to rename a computer already joined to the domain. I don't see any "Modify Computer Objects" permissions. As a workaround he has to join the computer to a workgroup, then back to the domain. We'd like to be able to just give him the ability to rename the computer, though...so how do I grant this privelage?
Jay_Jay70
renaming a computer is a tool delegated to the administrator of the machine, you can try the power users group but i am not sure if that will even allow i
There is a default group in the domain called "Account Operators"
Excerpt from Microsoft:
"Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution."
I'm not sure how much freedom you wish this tech to be able to have, as this group would also give him access to users accounts and user groups with the exception of the domain admins.
Todd
Excerpt from Microsoft:
"Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution."
I'm not sure how much freedom you wish this tech to be able to have, as this group would also give him access to users accounts and user groups with the exception of the domain admins.
Todd
ASKER
That *may* be the best solution. I would think you should be able to add someone to that group and still explicitly deny the person the ability to modify user accounts, right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Perfect! Thanks Netman66.