• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 586
  • Last Modified:

Windows 2008 tailor made a administrator to specific domain controller

Dear all:

i have one domain and serveral domain controller in different cities , and different cities has their dc, Any idea to make a tailor made administrator theat delgate the full right to specidfic cities only ?

e.g. city1_admin ,city2_admin, they should have full right in their own cities .

i delgate the ou to them and give themsever operator right  but seem they can cretea /delete but still cannot change sharing and permission in their own servers ...but if gave them domain admin it is too big.

any idea to tune just give them create /delete/ change permisision right for their OU and DC only , but they have the right to share to other city people.
0
barrykfl
Asked:
barrykfl
  • 5
  • 3
3 Solutions
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Hopefully I understand:
  You want to delegate some rights over an OU to a user/group.
  You also want that user/group to have some rights over a single domain controller.

The first can be solved with the Delegate of Control Wizard.  (If you'd been trying something else... like adding users/groups to the built-in Server Operator or Account Operator groups, remove the entries you added in those groups first.)

The second is trickier.  What rights would you want those users to have in your DCs?  Just permissions to shut down the server in an emergency?  (Give serious thought to what server admin rights you might give to a fully functional DC... )
0
 
Brian PiercePhotographerCommented:
You can certainly use the delegation of control wizard to limit what they can do and to which domains or OUs http://technet.microsoft.com/en-us/library/dd145344.aspx

It is not practical to limit which DC they can use, since the very concept of AD is that its a distributed database that can be editied/updated from any appropriate DC.
0
 
barrykflAuthor Commented:
I delegate the OU to them already , but they are server operator right ...cannot browse computer managment  , format , assign drive letter, and persmison... this gp can create folder in the specific DC but cannot set the secuirty right. it must domain admin ....
any trick or i must allow them domain admin right.

delgate wizrad only delgate the OU right ...not control on the specific dc 's folder / mamagmnet of computer

The second is trickier.  What rights would you want those users to have in your DCs?  Just permissions to shut down the server in an emergency?  (Give serious thought to what server admin rights you might give to a fully functional DC... )
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
> delgate wizrad only delgate the OU right ...not control on the specific dc 's folder / mamagmnet of computer

Correct.  Rights within the directory doesn't grant rights to the the computers themselves, unless also granted via another mechanism: GPO, for example.

> I delegate the OU to them already , but they are server operator right ...cannot browse computer managment  , format , assign drive letter, and persmison... this gp can create folder in the specific DC but cannot set the secuirty right. it must domain admin ....
any trick or i must allow them domain admin right.


I'm sorry, I don't understand.
I assume you are still looking for a method of granting rights to a specific domain controller via GPO, without granting Domain Admin.
1. Create a group within Active Directory.
2.   Put the users you want to grant rights to the domain controller within that group.
3. Create a GP, and assign rights in "Computer Configuration", "Policies", "Windows Settings", "Security Settings", "Local Policies / User Rights Assignments".  You can give away rights with a fair amount of granularity.  Assign the rights to the group created in step 1.  **
4. Link the GPO to the Domain Controllers OU.  AND in "Security Filtering", specify the ONE, SINGLE domain controller to which you want these permissions to be granted.

** To reiterate what's been said a couple times however -- realize that granting rights to the domain controller, any domain controller carries with it a fair amount of risk.  Look carefully at what you are granting, because escalating permissions beyond what your grant becomes possible on a DC.
0
 
barrykflAuthor Commented:
How come if no GPO can be used... still any method to make specific administraor...with full control that DC only ?

e.g. i created 2DC in same domain , one in CA one in NY , I created a CA OU and delgate to a "ca_administartor" that has server operator right . if i dont set any GPO how can i allow
ca_administrator create folder , set permission and full control in CA server only .?

Now it can create folder in CA server but cannot change persmission , disk managmenet ..etc.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Not using GPO?  
I haven't tried this one, but since I know having a GPO setting local security policies on the DC does work -- I suppose you COULD assign permissions directly in the local security policies.  (There should be a link from the Administrative Tools.)

Assigning permissions to be able to change permissions on shares and folders would just require FULL CONTROL in the ACLs on the volume, shares, and folders on the server.
0
 
barrykflAuthor Commented:
I've requested that this question be deleted for the following reason:

NO help ~
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I'm sorry that you feel that no help was provided.  If I understand your question correctly, you want to make an individual full administrator over a single domain controller, but not other domain controllers in the same domain.  Domain controllers don't have a local security database in the same way that other computer have.  Options to grant the equivalent permissions to an individual without granting those permissions to other users was put forward.  Have you been able to implement  any of those options, or do you need additional information on procedures to proceed?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Thank you JARmod101,
  I believe http:#a38321088, http:#a38321148, and http:#a38336180 have what would be the useful answers which should be accepted.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now