Solved

Need to grant specific rights to computer objects in AD

Posted on 2010-11-16
3
400 Views
Last Modified: 2012-06-27
I am trying to come up with a way to allow Help Desk staff to Add/Remove/Move Computer objects in AD.By move I mean move from one OU to another. I was looking at the Delegation Wizard in ADUC but could not figure it out. I want just these rights and nothing else so if I add a Help Desk member to a group I delegated rights to, that is all they can do.
0
Comment
Question by:osiexchange
3 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34148752
You can follow the steps in this link to allow them to add the computers to the doamin. I would recommend creating a secuirty group and adding the group to the GPO.  Then add all your help desk users to that group.

http://www.windowsitpro.com/article/domains2/jsi-tip-8144-how-can-i-allow-an-ordinary-user-to-add-a-computer-to-a-domain-.aspx
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 34148773
You will probably have to go granular into the ACL (not a default choice in the delegation control wizard)  

http://support.microsoft.com/kb/818091
 
You can extend the delegation control wizard   http://adisfun.blogspot.com/2009/08/extend-ad-delegation-control-wizard.html

...not at my lab right now so not sure if move computer objects is one that is added there.

Thanks
Mike
0
 

Author Comment

by:osiexchange
ID: 34149190
The newer inf file does add a lot of rights from the default but I did not see anythingi in there about moving a computer object. The miicrosoft article seems to cover moving and removing but not adding.

Do you know if chaniging the inf file does anything to rights already delegated using the old inf file?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now