?
Solved

Windows 2008 tailor made a administrator to specific domain controller

Posted on 2012-08-21
11
Medium Priority
?
583 Views
Last Modified: 2012-09-13
Dear all:

i have one domain and serveral domain controller in different cities , and different cities has their dc, Any idea to make a tailor made administrator theat delgate the full right to specidfic cities only ?

e.g. city1_admin ,city2_admin, they should have full right in their own cities .

i delgate the ou to them and give themsever operator right  but seem they can cretea /delete but still cannot change sharing and permission in their own servers ...but if gave them domain admin it is too big.

any idea to tune just give them create /delete/ change permisision right for their OU and DC only , but they have the right to share to other city people.
0
Comment
Question by:barrykfl
  • 5
  • 3
9 Comments
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 1332 total points
ID: 38321088
Hopefully I understand:
  You want to delegate some rights over an OU to a user/group.
  You also want that user/group to have some rights over a single domain controller.

The first can be solved with the Delegate of Control Wizard.  (If you'd been trying something else... like adding users/groups to the built-in Server Operator or Account Operator groups, remove the entries you added in those groups first.)

The second is trickier.  What rights would you want those users to have in your DCs?  Just permissions to shut down the server in an emergency?  (Give serious thought to what server admin rights you might give to a fully functional DC... )
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 668 total points
ID: 38321148
You can certainly use the delegation of control wizard to limit what they can do and to which domains or OUs http://technet.microsoft.com/en-us/library/dd145344.aspx

It is not practical to limit which DC they can use, since the very concept of AD is that its a distributed database that can be editied/updated from any appropriate DC.
0
 
LVL 8

Author Comment

by:barrykfl
ID: 38323617
I delegate the OU to them already , but they are server operator right ...cannot browse computer managment  , format , assign drive letter, and persmison... this gp can create folder in the specific DC but cannot set the secuirty right. it must domain admin ....
any trick or i must allow them domain admin right.

delgate wizrad only delgate the OU right ...not control on the specific dc 's folder / mamagmnet of computer

The second is trickier.  What rights would you want those users to have in your DCs?  Just permissions to shut down the server in an emergency?  (Give serious thought to what server admin rights you might give to a fully functional DC... )
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 30

Assisted Solution

by:Rich Weissler
Rich Weissler earned 1332 total points
ID: 38336180
> delgate wizrad only delgate the OU right ...not control on the specific dc 's folder / mamagmnet of computer

Correct.  Rights within the directory doesn't grant rights to the the computers themselves, unless also granted via another mechanism: GPO, for example.

> I delegate the OU to them already , but they are server operator right ...cannot browse computer managment  , format , assign drive letter, and persmison... this gp can create folder in the specific DC but cannot set the secuirty right. it must domain admin ....
any trick or i must allow them domain admin right.


I'm sorry, I don't understand.
I assume you are still looking for a method of granting rights to a specific domain controller via GPO, without granting Domain Admin.
1. Create a group within Active Directory.
2.   Put the users you want to grant rights to the domain controller within that group.
3. Create a GP, and assign rights in "Computer Configuration", "Policies", "Windows Settings", "Security Settings", "Local Policies / User Rights Assignments".  You can give away rights with a fair amount of granularity.  Assign the rights to the group created in step 1.  **
4. Link the GPO to the Domain Controllers OU.  AND in "Security Filtering", specify the ONE, SINGLE domain controller to which you want these permissions to be granted.

** To reiterate what's been said a couple times however -- realize that granting rights to the domain controller, any domain controller carries with it a fair amount of risk.  Look carefully at what you are granting, because escalating permissions beyond what your grant becomes possible on a DC.
0
 
LVL 8

Author Comment

by:barrykfl
ID: 38344263
How come if no GPO can be used... still any method to make specific administraor...with full control that DC only ?

e.g. i created 2DC in same domain , one in CA one in NY , I created a CA OU and delgate to a "ca_administartor" that has server operator right . if i dont set any GPO how can i allow
ca_administrator create folder , set permission and full control in CA server only .?

Now it can create folder in CA server but cannot change persmission , disk managmenet ..etc.
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 38345270
Not using GPO?  
I haven't tried this one, but since I know having a GPO setting local security policies on the DC does work -- I suppose you COULD assign permissions directly in the local security policies.  (There should be a link from the Administrative Tools.)

Assigning permissions to be able to change permissions on shares and folders would just require FULL CONTROL in the ACLs on the volume, shares, and folders on the server.
0
 
LVL 8

Author Comment

by:barrykfl
ID: 38375893
I've requested that this question be deleted for the following reason:

NO help ~
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 38375894
I'm sorry that you feel that no help was provided.  If I understand your question correctly, you want to make an individual full administrator over a single domain controller, but not other domain controllers in the same domain.  Domain controllers don't have a local security database in the same way that other computer have.  Options to grant the equivalent permissions to an individual without granting those permissions to other users was put forward.  Have you been able to implement  any of those options, or do you need additional information on procedures to proceed?
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 38381583
Thank you JARmod101,
  I believe http:#a38321088, http:#a38321148, and http:#a38336180 have what would be the useful answers which should be accepted.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question