Solved

AD role to grant and remove computer

Posted on 2014-09-09
5
158 Views
Last Modified: 2014-09-14
What AD role should we add to a user in order to grant or remove a computer in AD. Tks
0
Comment
Question by:AXISHK
  • 2
  • 2
5 Comments
 
LVL 29

Accepted Solution

by:
becraig earned 250 total points
ID: 40313716
Here are the steps to delegate that specific permission:
    Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
    In Active Directory Users and Computers, click View, and then click to select Advanced Features.
    Right-click Computers, and then click Properties.
    Click the Security tab, and then click Advanced.
    In the Access Control Settings for Computers dialog box, click Add, click the name of the user or group to whom you want to grant permission to remove computers from the Computers container, and then click OK.
    In the Permission Entry for Computers dialog box, click This object only in the Apply onto list.
    In the Permissions list, find the Delete Computer Objects permission, click to select the Allow check box next to this permission, and then click OK.
    In the Access Control Settings for Computers dialog box, click Add, click the name of the user or group to whom you want to grant permission to remove computers from the Computers container, and then click OK.
    Click the Properties tab, and then click computer objects in the Apply onto list.
    In the Permissions list, find the Write All Properties permission, click to select the Allow check box next to this permission, and then click OK three times.

More details from MS:
http://support.microsoft.com/kb/818091
0
 
LVL 4

Assisted Solution

by:Neeraj Kumar
Neeraj Kumar earned 250 total points
ID: 40313719
You need to delegate rights to user to add or remove computer in AD.

Refer the below mentioned article

http://dizzyit.com/2013/05/23/delegate-authority-ad-add-remove-computers/
0
 

Author Comment

by:AXISHK
ID: 40313832
can we simply grant users to accout or backup operators to get this right ? Tks
0
 
LVL 29

Expert Comment

by:becraig
ID: 40313842
Domain users should by default have this permission, however the problem will be the permissions at the OU level.

That is why delegation is the best way to approach this:
e.g. your have an OU for computers for the accounting department in an "ACCOUNTS" OU you would not want to have regular domain users add / remove as such this is generally explicitly denied in secure environments.

If you want to give this ability to a group of users, I would suggest creating a new security group and adding the members you want to give this permission to the group, then delegating the right over that specific OU to that group.
0
 

Author Closing Comment

by:AXISHK
ID: 40322340
Tks
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now