rookie_b
asked on
2008R2 Active Directory - Delegate rights to users to join machines to AD but not users
Hello,
We have departmental technicians that need to be able to pre-stage and join machines in particular OUs but not be able to create users. At the moment we just make them members account operators, but this gives them access to create both users and machines, and in any OU. Maybe if we could create separate groups that are similar to the Account Operators, but can only create/join machines to designated OUs? Or by using delegated rights, but really not sure what boxes to tick on that one.
Cheers!
We have departmental technicians that need to be able to pre-stage and join machines in particular OUs but not be able to create users. At the moment we just make them members account operators, but this gives them access to create both users and machines, and in any OU. Maybe if we could create separate groups that are similar to the Account Operators, but can only create/join machines to designated OUs? Or by using delegated rights, but really not sure what boxes to tick on that one.
Cheers!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes once you grant the group permissions they will be able to perform any and all actions you grant the SG on that OU.
ASKER