Windows 2008 tailor made a administrator to specific domain controller
Dear all:
i have one domain and serveral domain controller in different cities , and different cities has their dc, Any idea to make a tailor made administrator theat delgate the full right to specidfic cities only ?
e.g. city1_admin ,city2_admin, they should have full right in their own cities .
i delgate the ou to them and give themsever operator right but seem they can cretea /delete but still cannot change sharing and permission in their own servers ...but if gave them domain admin it is too big.
any idea to tune just give them create /delete/ change permisision right for their OU and DC only , but they have the right to share to other city people.
i have one domain and serveral domain controller in different cities , and different cities has their dc, Any idea to make a tailor made administrator theat delgate the full right to specidfic cities only ?
e.g. city1_admin ,city2_admin, they should have full right in their own cities .
i delgate the ou to them and give themsever operator right but seem they can cretea /delete but still cannot change sharing and permission in their own servers ...but if gave them domain admin it is too big.
any idea to tune just give them create /delete/ change permisision right for their OU and DC only , but they have the right to share to other city people.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How come if no GPO can be used... still any method to make specific administraor...with full control that DC only ?
e.g. i created 2DC in same domain , one in CA one in NY , I created a CA OU and delgate to a "ca_administartor" that has server operator right . if i dont set any GPO how can i allow
ca_administrator create folder , set permission and full control in CA server only .?
Now it can create folder in CA server but cannot change persmission , disk managmenet ..etc.
e.g. i created 2DC in same domain , one in CA one in NY , I created a CA OU and delgate to a "ca_administartor" that has server operator right . if i dont set any GPO how can i allow
ca_administrator create folder , set permission and full control in CA server only .?
Now it can create folder in CA server but cannot change persmission , disk managmenet ..etc.
Not using GPO?
I haven't tried this one, but since I know having a GPO setting local security policies on the DC does work -- I suppose you COULD assign permissions directly in the local security policies. (There should be a link from the Administrative Tools.)
Assigning permissions to be able to change permissions on shares and folders would just require FULL CONTROL in the ACLs on the volume, shares, and folders on the server.
I haven't tried this one, but since I know having a GPO setting local security policies on the DC does work -- I suppose you COULD assign permissions directly in the local security policies. (There should be a link from the Administrative Tools.)
Assigning permissions to be able to change permissions on shares and folders would just require FULL CONTROL in the ACLs on the volume, shares, and folders on the server.
ASKER
I've requested that this question be deleted for the following reason:
NO help ~
NO help ~
I'm sorry that you feel that no help was provided. If I understand your question correctly, you want to make an individual full administrator over a single domain controller, but not other domain controllers in the same domain. Domain controllers don't have a local security database in the same way that other computer have. Options to grant the equivalent permissions to an individual without granting those permissions to other users was put forward. Have you been able to implement any of those options, or do you need additional information on procedures to proceed?
Thank you JARmod101,
I believe http:#a38321088, http:#a38321148, and http:#a38336180 have what would be the useful answers which should be accepted.
I believe http:#a38321088, http:#a38321148, and http:#a38336180 have what would be the useful answers which should be accepted.
ASKER
any trick or i must allow them domain admin right.
delgate wizrad only delgate the OU right ...not control on the specific dc 's folder / mamagmnet of computer
The second is trickier. What rights would you want those users to have in your DCs? Just permissions to shut down the server in an emergency? (Give serious thought to what server admin rights you might give to a fully functional DC... )