Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Active Directory 2008 Permissions

Posted on 2011-03-01
9
936 Views
Last Modified: 2012-05-11
What is the easiest way to give an admin access to manage ou's and log into some servers centrally, without giving high level access?  
0
Comment
Question by:Jack_son_
9 Comments
 
LVL 27

Accepted Solution

by:
KenMcF earned 400 total points
ID: 35012963
To give permissions to OUs you can right click the OU and use the deleagtion wizard to assign the needed permissions. What permissions are you look to give?

For server access, you can either add them to the local Admin group on a member server or add them to the remote desktop users group. From the sound of your post I think the remote desktop users group is what you want. They can also use active directory users and computer from their desktop if you do not want them logging into a server.
0
 
LVL 15

Assisted Solution

by:wantabe2
wantabe2 earned 100 total points
ID: 35012973
Use the delegation wizaard. This will do the trick
0
 
LVL 3

Expert Comment

by:mnation1
ID: 35012979
You could try adding them to Group Policy Creator Owners and Schema Admins.  That will give them access to alter the schema and group policy objects in AD, but it shouldn't allow them administrator access on all machines.  Then explicitly add the account to the administrators group on the servers/workstations you'd like them to manage.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 27

Expert Comment

by:KenMcF
ID: 35012995
Why the Schema Admins group? this group should be empty and only add users when and if you need to make any schema modifications.
0
 

Author Comment

by:Jack_son_
ID: 35013050
we want to limit it to management of OU's and adding email accounts.  Also, access to limited servers.
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 400 total points
ID: 35013105
You will need to determine what permissions you want to give and then use the delegation wizard.
Look into creating a task pad view so they get a view of a single OU or whatever you want.

For the servers you can do this through a GPO
http://www.frickelsoft.net/blog/?p=13

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 400 total points
ID: 35013176
0
 

Author Comment

by:Jack_son_
ID: 35013880
great thanks, let me try it. Will it also let you prevent them from adding users from adding users to groups with elevated privileges?
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 400 total points
ID: 35013892
it depends on how you set the permissions on the group and users.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question