Link to home
Create AccountLog in
Avatar of waltforbes
waltforbesFlag for Bahamas

asked on

How to enable users to manage "AD Sites and Services" snap-in (dssite.msc) without placing them in Domain Admins or Enterprise Admins groups?

Points of My Scenario:

1. I am admin of a Windows Server 2008 R2 domain


2. I need to enable select users to replicate Active Directory changes using dssite.msc (AD Sites and Services snap-in)- without placing them in the Domain Admins or Enterprise Admins groups.


3. I want to create a group, then use Delegation of Control Wizard or an appropriate Active Directory object's ACL to enable this custom group to have the access mentioned in point 2.


QUESTION: What is the best way to grant a custom group the permissions to use dssite.msc (Active Directory Sites and Services) to manually manage replication?

ASKER CERTIFIED SOLUTION
Avatar of Seth Simmons
Seth Simmons
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of waltforbes

ASKER

Hi Seth, many thanks for your answer. The reason I need to do this is that sometimes an alias or ACL (or other AD change) needs to be updated immediately. It could be due to DR (disaster recovery) concerns or troubleshooting.