How to create “domain admin” per OU
Hi All,
I have Admin in various location I would like to remove them from Domain Admins group
and create a group per location.
I have created an OU for each location and I want them to have full Admin right on USERS and COMPUTERS of their OU.
What is the Best Practice to obtain what I want?
Example:
Location A has OU call A-Unit
I will create a new group call A-Admins
I want A-Admin to have full Admin Right on Users and computers of A-Unit ( should be able to join machine to domain, install software and drivers on users machine, create account, reset password, delete users, create group, delete group...)
Location B has OU call B-Unit
I will create a new group call A-Admins..same thing..
I have Admin in various location I would like to remove them from Domain Admins group
and create a group per location.
I have created an OU for each location and I want them to have full Admin right on USERS and COMPUTERS of their OU.
What is the Best Practice to obtain what I want?
Example:
Location A has OU call A-Unit
I will create a new group call A-Admins
I want A-Admin to have full Admin Right on Users and computers of A-Unit ( should be able to join machine to domain, install software and drivers on users machine, create account, reset password, delete users, create group, delete group...)
Location B has OU call B-Unit
I will create a new group call A-Admins..same thing..
Tomislavj
maybe you could try with restricted groups
Hi,
If you want to grant Local Admin rights for particular common users, I suggest we could configure Restricted Groups via Group Policy or Local User and Groups option in GPP to achieve the target. For details, please refer to the following articles.
How to use Restricted Groups? Part I
http://www.frickelsoft.net/blog/?p=13
Part II
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
Hope it helps you.
If you want to grant Local Admin rights for particular common users, I suggest we could configure Restricted Groups via Group Policy or Local User and Groups option in GPP to achieve the target. For details, please refer to the following articles.
How to use Restricted Groups? Part I
http://www.frickelsoft.net/blog/?p=13
Part II
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
Hope it helps you.
ASKER
I want Admin to have full admin right but only on their OU. They should have right to :
- Add new computer to the Domain (New user will be move by default to Computer Directory.)
- Move computer from COMPUTER folder to their OU
- Create a New User, New Group in Their OU
- reset User Password
- Install application and Drivers on users computer
-
- Add new computer to the Domain (New user will be move by default to Computer Directory.)
- Move computer from COMPUTER folder to their OU
- Create a New User, New Group in Their OU
- reset User Password
- Install application and Drivers on users computer
-
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.