Configure Different Administrator Access Level in Win2k3 Server

How can I go about pare down the domain administrator access in Win 2k3 server so that I can delegate certain administrative function to my IT staff to manage.
Who is Participating?
This can be done through Delegation of Permissions in AD.  The DoP Wizard doesn't offer much flexibility, but you can edit the DSACLs manually.

Create a Group and make your IT Staff members.  Create an OU and move the objects that need to be managed into this OU (or sub-OUs).  Go to the Properties of the OU and then the Security tab.  (You need to turn on Advanced Features to see the Security tab.)  Click the Advanced button, click Add and select your group. Review the various properties on both the Objects tab and the Properties tab, they are very granular.  These lists change when the scope is changed (the "Apply To" drop-down box).  It sounds like you'd be interested in "This Object Only" for create/delete permissions of users/groups/computers, and the "Groups Only", "Users Only", and "Computers Only".  You may have to add the same group several times to get all the ACLs you need, as only one scope can be selected and added at a time.

By removing your Staff from Domain Admins, you effectively cut off their admin access to all workstation and server computers.  You'll probably want to create a Startup Script that adds the group you made above to the local Administrators group on the workstations and/or servers these admins will be managing.

You should also consider moving the default location of new Computer objects, if they'll need to manage those (

Also, anyone who is currently in a Protected Group (Enterprise Admins, Schema Admins, Domain Admins, Account Operators, Sever Operators, Backup Operators, Print Operators) and is subsequently removed, should have their "AdminCount" attribute cleared (via adsiedit or vbscript).  When this attribute is set to '1', permissions from AD our not inherited by the user object, and are taken from the AdminSDHolder object instead.  This isn't critical, just good house keeping.

domain admins have same access as administrators.  You really should not pare this down.

Better is to create a new group, and selectively add the privileges that you want the group to have.
Crreate a new user and give this user appropariate rights, don't change rights of default admin.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.