Solved

member server delegation

Posted on 2008-11-03
6
480 Views
Last Modified: 2012-08-14
Dear experts,

I am the domain admin for a single active directory domain.  Another company wants admin. access to one of our member servers (i.e. we need to hand ownership of this server to them) - what is the best way to do this ?  They don't want us to control this server anymore - they want full admin access.

The server in question is just running some basic apps i.e. it is not a DC or running any microsoft services as such - but the server has to stay in our domain - it can't be moved into their domain.

I was thinking of creating a new OU and moving this server into it and then delegating control to this ou to the other comany via group permissions, etc.

Can you let me know if this is the perfect solution to this issue or is there a better way please ?

Thanks in anticipation ...

RP
0
Comment
Question by:richardstuartpowell
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 16

Accepted Solution

by:
JoWickerman earned 35 total points
ID: 22865868
Hi richardstuartpowell,

Is there no way that you can remove the PC from your domain and make it part of a workgroup, keeping it on your subnet? Otherwise the other company will have access to your other servers through this server?

Cheers.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 70 total points
ID: 22865897
If you delegate control to an OU then you will still have the ability to manage the server. The only way to remove the ability to manage it from your administrators is to remove it from your domain (or forest).
0
 
LVL 2

Author Comment

by:richardstuartpowell
ID: 22866354
OK that sounds perfectly reasonable.

I was hoping to keep things tidy and retain the server in our AD but put it into an OU for them to manage - but I get your point that WE would still have access, so I guess the best way to resolve this is to take this member server out of our domain and stick it into a workgroup all of it's own.

How would you suggest that we then give access (admin access) to this server to the other company ?  I was thinking remote desktop ?

Cheers
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 70 total points
ID: 22866371
Yes - Remote desktop would seem a perfectly reasonable solution
0
 

Assisted Solution

by:AckeyGraham
AckeyGraham earned 20 total points
ID: 22866372
Or another is create a acccount, with basic access but give them membership to the local admin of the actual machine. Therefore will still be on your domain and accessed by who needs with your org and also administered by the other outfit.

Sameway both will work
0
 
LVL 2

Author Closing Comment

by:richardstuartpowell
ID: 31512624
Thanks for everyone for responding so quickly - all responses well articulated - cheers fellas.

Points split amongst all that responded :-)
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question