Best way to delegate permissions to admins in a different AD Site
Posted on 2012-03-29
We have a single forest/single domain AD setup in the UK.
We've recently built a new physical site in America. We've grouped all user, computer & other relevant accounts in seperate OU's dedicated to the new USA site.
This site has DC's, Exchange 2010, F&P, Hyper-V and TMG server setup. All run Windows 2008 R2 native mode.
We've created it as an AD site.
We have a couple of admins in the new USA office. These guys are 'lower level' admins and can not have any rights outside of these dedicated OU's at all. They cannot therefore have domain admin rights but still need to manage all server and client day-to-day tasks.
I have so far
- Created a security group for the two of them.
- I have added this group to each server so they can remote Desktop to them.
- I have given them full delegated permisison rights to the OU's in question.
- I have created a basic Exchange 2010 role group for them.
Some issues I have still are;
- I need them to be able to log on to all client computers and have full rights (similar to being a domain admin).
- I need them to be able to log onto all servers and be able to shutdown or restart them (without making them local admin group members if possible).
- They MUST NOT have any rights to any object outside of their OU's.
Is it possible to create a 'custom domain admin' group with reduced rights?
I would appreciate any and all help you can provide on this. I'm thinking it may have been easier if I created a seperate child domain although, for a small site yet to develop, it may have been overkill at this stage.