Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to grant specific permissions to domain user accounts without adding them to Domain Admins group

Posted on 2012-04-12
12
Medium Priority
?
356 Views
Last Modified: 2012-07-10
OK, I am sure this has been addressed before, but I am in a hurry and cannot find anything on it.

Can anyone direct me to links or explain how I can give domain user accounts the necessary rights to add/remove computer objects from the domain and other rights that they may need to perform MS updates and install applications, like Flash Player, Adobe Reader, etc. without them being part of the Domain Admins group?  Which is what they are right now.  Or is it just too much hassle to manage and just leave them as Domain Admins?


Hopefully that was clear.


Thanks in advance.
0
Comment
Question by:rsnellman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 6

Expert Comment

by:dave_it
ID: 37838230
Add the user to the domain-level Administrators group.  This will allow the user to apply patches, updates, apps, etc., but not give any rights within AD.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 37838259
By default Windows is set to allow anyone to add up to 10 computers to the domain. To be able to install applications on the local PC you could add them to the local admin group on the PC's. This will give them full admin rights on the PC without giving them domain rights to the servers. It depends on the amount of security you wish to maintain over the local PC's.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 336 total points
ID: 37838288
The built-in administrators group will give them rights in AD and that group replicates.  The difference is that domain admins are in the local admin group of every machine by default.

What I'd do is create a new group and add that group to the local admin on machines using restricted groups  http://www.windowsecurity.com/articles/using-restricted-groups.html

You can also delegate rights in AD or use other builtin groups like account operators.

What you are doing and trying to reduce domain admins is a good thing

Thanks

Mike
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:rsnellman
ID: 37838301
dave_it,
I am not sure I follow you.  Isn't the domain level administrators group the same thing as the Domain Admin group?  I mean especially if the domain administrator group is a member of the Domain Admins group, which it is.


I have setup a policy to add them to the local admin group on the PC's, so that is good to go.  However, I am concerned about them running into issues with trying to add computers to the domain and removing them when needed.

I am trying to do this in a way that doesn't interfere with their normal everyday tasks.
0
 
LVL 26

Assisted Solution

by:pony10us
pony10us earned 1332 total points
ID: 37838335
In our organization we have created a group called "special admins" that we add to the local administrators group through GPO. Individuals placed in that group have full admin rights to any system they log onto without giving them domain admin rights. We use this mainly for laptops.

You may want to look at:   http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
0
 
LVL 6

Assisted Solution

by:dave_it
dave_it earned 332 total points
ID: 37838388
No, Domain Admins and the built-in Administrators group are separate groups.  We use this group to grant select individuals the ability to patch Domain Controllers.  However, after reading Mike's comment I realized that this group will most likely not provide the solution to your original question.  

As mentioned above, a better solution would be to create a new AD group, script it or use a GPO to drop it into the local Administrators group on PC's and servers, and then delegate the AD rights needed.
0
 

Author Comment

by:rsnellman
ID: 37965754
OK, that all makes sense, but I guess I am trying to figure out what AD rights are needed to delegate for these special admin groups so they can add to/remove from computers from the domain.

Any ideas or links to assist will be greatly appreciated.
0
 
LVL 26

Assisted Solution

by:pony10us
pony10us earned 1332 total points
ID: 37965820
Open the Active Directory Users and Computers snap-in.

Right-click the container under which you want the computers added, and press Delegate Control.

Press Next.

Press Add.

After adding all the users and/or groups, press Next.

Select Create custom task to delegate and press Next.

Select Only the following objects in the folder, check Computer objects, check the Create selected objects in this folder box, and press Next.

Check the Create all child object box and press Next.

Click Finish
0
 

Author Comment

by:rsnellman
ID: 37965835
Thanks pony10us.  And this will cover them being able to add and remove computers from the domain?  Nice.

Thanks again.
0
 
LVL 26

Assisted Solution

by:pony10us
pony10us earned 1332 total points
ID: 37965851
You need to do that at the OU you want them to be able to add the computer too.  Look through the options in case I missed any.
0
 

Author Comment

by:rsnellman
ID: 37965870
Wait, what about computers already added to the domain.  Would I need to do the root of the domain to delegate rights to be able to remove the computers (computer objects) from the domain?  Or would have to do that to each and every OU for this special admin group?
0
 
LVL 26

Accepted Solution

by:
pony10us earned 1332 total points
ID: 37965948
You can do that at the root of the domain.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question