Delegating control of a single DC

  • Thread starter Thread starter F Lam
  • Start date Start date
F

F Lam

Hello,

I am trying to delegate the control of a single DC. I know about the
delegation of OUs in AD. However, this only allows management of
objects within that OU and does not allow the management of the server
itself. I am wondering what is the best way to go about doing this.
For instance, I would like to let a non-admin, non-server operator
account local on locally to the server. I also want that account to
be able to manage services, manage the DNS service, DHCP service, etc
only on that particular server. Basically I would like the account to
have local admin privilege on the server except on the AD portion.

I was thinking of putting the DC in a subOU under Domain Controllers
OU, and then apply a GPO to the subOU. However, GPO would not allow
me to grant permission to everything on the server.

How should I do this?

Thanks

Fritz
 
Hi.
This could be an option.

Using Local Policies allow you users access to the local
server. Using these policies allow you to add users to
the log on locally. Also, then you can add a group policy
that allows that user full access to whatever you want,
and in policies there is a section that denies access to
the Active Directory: Users & Computers, " " , etc...

Hope this helps,

Cheers,
Brian Lockwood
MCSE~
 
The tasks that you want the user to do cannot be delegated. You can create
a GPO that gives a user the ability to logon locally and to stop and start
services but you cannot give them the ability to manage DNS, DHCP etc by
delegation or by using a GPO. Those are privelages assigned to the local
admin group.


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
I don't think what you want to do is possible. Normally
DCs run Domain wide services and are regulated by AD not
local groups. Once you run DCPROMO on a server you
nolonger have access to local accounts that existed
previously.
In my network we don't allow admins to log on to the DCs.
Therefore we manage the DNS from central point. We load
DHCP on a member server and give them rights to that
server.
 
Back
Top