Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Active Directory 2008 Permissions

Posted on 2011-03-01
9
Medium Priority
?
953 Views
Last Modified: 2012-05-11
What is the easiest way to give an admin access to manage ou's and log into some servers centrally, without giving high level access?  
0
Comment
Question by:Jack_son_
9 Comments
 
LVL 27

Accepted Solution

by:
KenMcF earned 1600 total points
ID: 35012963
To give permissions to OUs you can right click the OU and use the deleagtion wizard to assign the needed permissions. What permissions are you look to give?

For server access, you can either add them to the local Admin group on a member server or add them to the remote desktop users group. From the sound of your post I think the remote desktop users group is what you want. They can also use active directory users and computer from their desktop if you do not want them logging into a server.
0
 
LVL 15

Assisted Solution

by:wantabe2
wantabe2 earned 400 total points
ID: 35012973
Use the delegation wizaard. This will do the trick
0
 
LVL 3

Expert Comment

by:mnation1
ID: 35012979
You could try adding them to Group Policy Creator Owners and Schema Admins.  That will give them access to alter the schema and group policy objects in AD, but it shouldn't allow them administrator access on all machines.  Then explicitly add the account to the administrators group on the servers/workstations you'd like them to manage.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Expert Comment

by:KenMcF
ID: 35012995
Why the Schema Admins group? this group should be empty and only add users when and if you need to make any schema modifications.
0
 

Author Comment

by:Jack_son_
ID: 35013050
we want to limit it to management of OU's and adding email accounts.  Also, access to limited servers.
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 1600 total points
ID: 35013105
You will need to determine what permissions you want to give and then use the delegation wizard.
Look into creating a task pad view so they get a view of a single OU or whatever you want.

For the servers you can do this through a GPO
http://www.frickelsoft.net/blog/?p=13

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 1600 total points
ID: 35013176
0
 

Author Comment

by:Jack_son_
ID: 35013880
great thanks, let me try it. Will it also let you prevent them from adding users from adding users to groups with elevated privileges?
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 1600 total points
ID: 35013892
it depends on how you set the permissions on the group and users.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question