Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SuperAD account

Posted on 2007-07-26
5
Medium Priority
?
182 Views
Last Modified: 2010-03-17
I'm looking to create a super user group for my site admin administrators. I need then to be able to restart print spoolers, set up machines, do general admin duties but I don't want them to have domain admin rights, What's the best permissions to give this group or does Windows have a default group just for this? Currently they all have domain access and i know this isnt the correct way to go as i dont want them looking anywhere and everywhere.
0
Comment
Question by:boomerbostock
  • 2
  • 2
5 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 19573745
Hi boomerbostock,

Members of builtin Print operators group can restart printer spooler. I would additional info about what you mean woth "set up machines" and "general admin duties" to give more precise answer.

HTH

Toni
0
 

Author Comment

by:boomerbostock
ID: 19573897
join machines to domain
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 19573971
Any domain user can join 10 machines to domain. But usually you need to Delegate control of an OU for creating computer accounts to this users. Just right click proper OU and follow Delegation of control wizard. Always delegate to group of users -  do not use user accounts. What you need is to allow Full control for Computer account objects (or just creation of these objects).
0
 

Author Comment

by:boomerbostock
ID: 19574129
but will this allow them to access every file on the network as the have control of the OU?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 1500 total points
ID: 19574361
If all you want is for users to add/remove workstations to the domain, you only need to delegate the following permissions on Computer objects:

Create selected objects
Delete selected objects
Read all properties
Write all properties

0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

804 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question