[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 115
  • Last Modified:

How to create “domain admin” per OU

Hi All,

I have Admin in various location I would like to remove them from Domain Admins group
and create a group per location.
I have created an OU for each location and I want them to have full Admin right on USERS and COMPUTERS of their OU.
What is the Best Practice to obtain what I want?
Example:
Location A has OU call A-Unit
I will create a new group call A-Admins
I want A-Admin to have full Admin Right on Users and computers of A-Unit ( should be able to join machine to domain, install software and drivers on users machine, create account, reset password, delete users, create group, delete group...)


Location B has OU call B-Unit
I will create a new group call A-Admins..same thing..
0
tanopatrice
Asked:
tanopatrice
1 Solution
 
TomislavjSystem AdminCommented:
maybe you could try with restricted groups
0
 
palicosCommented:
Hi,

If you want to grant Local Admin rights for particular common users, I suggest we could configure Restricted Groups via Group Policy or Local User and Groups option in GPP to achieve the target. For details, please refer to the following articles.
How to use Restricted Groups? Part I

http://www.frickelsoft.net/blog/?p=13

Part II

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Hope it helps you.
0
 
tanopatriceAuthor Commented:
I want Admin to have full admin right but only on their OU. They should have right to :
- Add new computer to the Domain (New user will be move by default to Computer Directory.)
- Move computer from COMPUTER folder to their OU
- Create a New User, New Group in Their OU
- reset User Password
- Install application and Drivers on users computer
-
0
 
Henrik JohanssonSystems engineerCommented:
Use delegation control and set permission on the OU A-Unit so thd  A-Admins group has the necessary permissions for the object types.The permissions are set through right click OU and choose delegate control, or using the security tab in the OU properties

Create computer objects.
 Full control on computer objects.
Create/delete user objects.
Full control on user objectd.

For local permissions to install software, use restricted groups features posted in GPO linked ro Iö OU containing computer objectd.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now