?
Solved

Delegation and Control help please!!

Posted on 2011-02-15
3
Medium Priority
?
522 Views
Last Modified: 2012-05-11
Hello all.......We are getting an access denied error when a East Coast or West Coast Admin attempts to create another East\West Coast Admin user.  The East Coast and West Coast Admins can create a supervisor user and local operator user just fine.  Attached is a file with the OU layout so you can see what I trying to do.

In the Microcom User Group OU.  I have 4 security groups and user templates that need to be managed by their respectivie admins.  Below are the the security groups and user templates that were created in the Microcom User Groups OU.
- Supervisors SG
- Local Operator SG
-East Coast Admin SG.  This group has the  backup operators, and server operators assigned.  Are these two groups causing us the denied error????
-West Coast Admin SG. This group has the  backup operators, and server operators assigned.  Maybe these two groups causing the denied error???


_Shift Supervisor Template (member of Supervisors SG and authenticated users SG)
_Local Operator Template (member of Local Operator SG and authenticated users SG)
_East Coast IT Admin Template (member of East Coast IT Admin SG, and authenticated users SG)
_West Coast IT Admin Template (member of West Coast IT Admin SG,  and authenticated users SG)

Here is what we are trying to to.  A West Coast IT Admin and East Coast IT Admin  should be able create a Shift Supervisor user, a Local Operator, and other East Coast/West Coast IT Admin users in the Micocom User Group OU.  They will create these users manually or by copying the user template and filling out the user fields.

The West Coast IT Admin should be able to move the newly created user from the Microm User Group OU into the Users OU, which is located in the West Coast OU.  The West Coast IT Admin should also be able to manage those user accounts, including other West Coast Admin accounts, and create computers in the West Coast OU.

The East Coast  Admin should be able to move the newly created user from the Microm User Group OU in the Users OU, which is located in the East Coast OU.  The East Coast Admin should be able to manage the user accouns, including other East Coast Admin accounts, and create computers in the East Coast OU.

Now here is what I am thinking when I run the Delegation and Control wizzard.
On the Microm User Groups OU
1.  Riqht Click the Microcom User Groups OU and select delegate and control.
2.  Add the East Coast and West Coast Admins SG.
3.  Create a Custom Delegation.
4.  Make sure general box is checked, and select full control.
This should allow the East and West Coast Admin's to create users, even other East and West Coast IT admin users,  in the Microcom User's OU, correct?

On the West Coast OU
1.  Riqht Click the West Coast OU and select delegate and control.
2.  Add the West Coast Admins SG.
3.  Create a Custom Delegation.
4.  Make sure general box is checked, and select full control.
This should allow the West Coast  Admins to create users (or move users from the Microcom User Groups OU) and create computers objects in the West Coast OU and OU's down...correct??

On the East Coast OU
1.  Riqht Click the East Coast OU and select delegate and control.
2.  Add the East Coast Admins SG.
3.  Create a Custom Delegation.
4.  Make sure general box is checked, and select full control.
This should allow the East Coast Admins to create users (or move users from the Microcom User Groups OU) and create computers objects in the East Coast OU and OU's down...correct??

Would my delegation work like we want???

Any input would be appreciated...............  Thanks..



OUlayout.jpg
0
Comment
Question by:drzura
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 9

Accepted Solution

by:
araberuni earned 2000 total points
ID: 34902146
AD Deligation best practice http://www.microsoft.com/downloads/en/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en

Deligation Security http://support.microsoft.com/kb/235531

Once you finish each deligation wizard, Open AD users and computers>View>Adavanced view>Select Microcom User Group>Right Click property>Security>check the security settings of each OU.

Repeat this for East and west OU. you are ok for the rest.  

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35340012
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month11 days, 22 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question