Solved

Windows 2000 AD Group Delegration Help

Posted on 2009-04-02
3
164 Views
Last Modified: 2012-05-06
Right now I'm running a winodws 2000 domain. I want to give my four help desk users the ability to do the following ONLY
-Able to add / remove a pc to the domain.
-reset user's password. but cannot reset domain admin or service account password
-is a member of the local admin's group on all workstation and not on servers!!!!!!!!!

Any thoughts?
0
Comment
Question by:compdigit44
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 24054052
For the first two you can use the delegation control wizard and give those rights to the help desk group (place the users in a group)  -- see screen shot
For the admin group task I's use restricted groups.  Florian has a great blog on the subject here
http://www.frickelsoft.net/blog/?p=13
One thing to note, with restricted groups you can either add to what is there or wipe out what is there and add new groups.
For this you just want to add the help desk group so just remember that part.  I'd test on a few machines first so you get a feel for it.   Then link the policy to the OU where your workstations are located.
Thanks
Mike

Delegation-Wizard.jpg
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24055388
DO you have any suggestions on using the Restricted groups policy...Here is a question what if a user is has local admin rights on there specific workstation. I don't want this policy to wipe this out!!!!!! Also I was hope to place this policy at the root of my domain since I have multile OU for multiple different sites..
 yet I don't want my servers to be affected...

please help
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 250 total points
ID: 24056073
Regarding the Restricted groups policy, everything you need to know how to create and use the GPO are clearly explained in the link provided above from Mike from above. As Mike has suggested, the best way is to test it out. Like create an test OU, place a workstation in the OU then create the GPO for the group you want to add and link the GPO to the OU. This way you can verify if the group you added is in the Administrators group of the workstation in that OU.

Regarding linking the GPO to the domain, that will create more works for you expecially I'm sure there are a lot other machines such as servers that you don't want the GPO to apply to. Also, if you link in the domain level, you have to be careful each time you create new OU that may have machine that you do not want the GPO to apply to, then you end up doing Block Inheritance etc, high maintenance.

What we do is we create a root OU for all workstations and one OU for all servers. Within each OU, we organize the workstation by location. For servers, you may want to organize by function like apps, file, print, database etc., as these functions are more specific and sensistive to servers. Where workstations are more sensitive to location as it will be used by the local users etc. You may consider reorganize your systems this way to eliminate admnistrative overhead.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now