Delegating Control...

  • Thread starter Thread starter Harrison Midkiff
  • Start date Start date
H

Harrison Midkiff

Hello:

After a series of errors due to to many people having domain admin accounts
I have finally decided to run the Delegation of Control wizard and restrict
users access. I created a group and want to only allow them to do the
following.

1. Join Computers to the domain
2. Move computers between OU's
3. Reset user passwords
4. Create Exchange Mailboxes
5. Add and remove groups to users.

I tried to use the Delegation of Control wizard but it didn't seems to give
me these options. Does anyone have experience running this who could help
me out. Thanks.

Harrison Midkiff
 
Hello harrison,

you can definatly find these options but for that you have to do a customize
delegation. that will give you all the options. Also be careful about the
adminSDHolder

you can also go through article: KB 817433

need help mail me.
 
Hello harrison,

Thanks you posting!

I agree with kapil. You may follow his helpful suggestion. More information
below is for your reference:

888204 How to use the Delegation of Control Wizard to grant permissions to a
http://support.microsoft.com/?id=888204

315676 HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;315676

883381 Delegating administrator roles to an administrative group can grant
the
http://support.microsoft.com/?id=883381

304935 How to set Exchange Server 2000 and 2003 mailbox rights at the time
of
http://support.microsoft.com/?id=304935

Hope the information helps. If there is anything that is unclear, please
feel free to let me know.

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
| Thread-Topic: Delegating Control...
| thread-index: AcW5uks0VtgKAxwDQMKh1bAO+sGjUQ==
| X-WBNR-Posting-Host: 203.99.195.2
| From: "=?Utf-8?B?a2FwaWw=?=" <[email protected]>
| References: <[email protected]>
| Subject: RE: Delegating Control...
| Date: Wed, 14 Sep 2005 22:57:02 -0700
| Lines: 33
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.win2000.active_directory:33520
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Hello harrison,
|
| you can definatly find these options but for that you have to do a
customize
| delegation. that will give you all the options. Also be careful about the
| adminSDHolder
|
| you can also go through article: KB 817433
|
| need help mail me.
|
| "Harrison Midkiff" wrote:
|
| > Hello:
| >
| > After a series of errors due to to many people having domain admin
accounts
| > I have finally decided to run the Delegation of Control wizard and
restrict
| > users access. I created a group and want to only allow them to do the
| > following.
| >
| > 1. Join Computers to the domain
| > 2. Move computers between OU's
| > 3. Reset user passwords
| > 4. Create Exchange Mailboxes
| > 5. Add and remove groups to users.
| >
| > I tried to use the Delegation of Control wizard but it didn't seems to
give
| > me these options. Does anyone have experience running this who could
help
| > me out. Thanks.
| >
| > Harrison Midkiff
| >
| >
| >
|
 
Jason:

Thanks for replying to my post.

I know how to do the Delegation of Control, but the descriptions of all the
permissions are not very good. Do you know any place that has good
descriptions of these?

Harrison Midkiff
 
Hi Harrision,

Thanks for your reply!

Based on my search, I cannot find the document which describes all the
permissions since it could be much more due the different requirement. You
may consider which permission should be granted to objects to custom a
delegate of control.

1. Join Computers to the domain
2. Move computers between OU's
3. Reset user passwords
4. Create Exchange Mailboxes
5. Add and remove groups to users.

I would like to provide you with some information for your reference:

1. Join Computers to the domain.

By default, domain user has permission to join 10 clients into domain.

2. Move computers between OU's

You may want to delegate user/group create, list, view permission to the
two OUs.

3. Reset user passwords

This is a common task which you may delegate to users/groups. Please refer
to "Reset user passwords and force password change at next logon" option in
common task.

4. Create Exchange Mailboxes

You may attempt to use common task "create, delete, and manage user
accounts."

5. Add and remove groups to users.

You may want to delegate users/groups full control permission to the groups
object.

More information for your reference:
Step-by-Step Guide to Using the Delegation of Control Wizard
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
directory/activedirectory/stepbystep/ctrlwiz.mspx

Use this wizard to delegate administrative control
http://www.windowsitpro.com/Article/ArticleID/22555/22555.html?Ad=1

Delegation of Control Wizard
http://www.serverwatch.com/tutorials/article.php/10825_1472441_2

Hope the information helps. If there is anything that is unclear, please
feel free to let me know.

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
| Reply-To: "Harrison Midkiff" <[email protected]>
| From: "Harrison Midkiff" <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: Delegating Control...
| Date: Thu, 15 Sep 2005 18:48:29 -0400
| Lines: 124
| Organization: Audio Visual Innovations, Inc.
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| Message-ID: <#Jv#[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: 208.5.55.190
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.win2000.active_directory:33561
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Jason:
|
| Thanks for replying to my post.
|
| I know how to do the Delegation of Control, but the descriptions of all
the
| permissions are not very good. Do you know any place that has good
| descriptions of these?
|
| Harrison Midkiff
| | > Hello harrison,
| >
| > Thanks you posting!
| >
| > I agree with kapil. You may follow his helpful suggestion. More
| > information
| > below is for your reference:
| >
| > 888204 How to use the Delegation of Control Wizard to grant permissions
to
| > a
| > http://support.microsoft.com/?id=888204
| >
| > 315676 HOW TO: Delegate Administrative Authority in Windows 2000
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;315676
| >
| > 883381 Delegating administrator roles to an administrative group can
grant
| > the
| > http://support.microsoft.com/?id=883381
| >
| > 304935 How to set Exchange Server 2000 and 2003 mailbox rights at the
time
| > of
| > http://support.microsoft.com/?id=304935
| >
| > Hope the information helps. If there is anything that is unclear, please
| > feel free to let me know.
| >
| > Thanks & Regards,
| >
| > Jason Tan
| >
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| >
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| >
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| >
| > --------------------
| > | Thread-Topic: Delegating Control...
| > | thread-index: AcW5uks0VtgKAxwDQMKh1bAO+sGjUQ==
| > | X-WBNR-Posting-Host: 203.99.195.2
| > | From: "=?Utf-8?B?a2FwaWw=?=" <[email protected]>
| > | References: <[email protected]>
| > | Subject: RE: Delegating Control...
| > | Date: Wed, 14 Sep 2005 22:57:02 -0700
| > | Lines: 33
| > | Message-ID: <[email protected]>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.win2000.active_directory
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.win2000.active_directory:33520
| > | X-Tomcat-NG: microsoft.public.win2000.active_directory
| > |
| > | Hello harrison,
| > |
| > | you can definatly find these options but for that you have to do a
| > customize
| > | delegation. that will give you all the options. Also be careful about
| > the
| > | adminSDHolder
| > |
| > | you can also go through article: KB 817433
| > |
| > | need help mail me.
| > |
| > | "Harrison Midkiff" wrote:
| > |
| > | > Hello:
| > | >
| > | > After a series of errors due to to many people having domain admin
| > accounts
| > | > I have finally decided to run the Delegation of Control wizard and
| > restrict
| > | > users access. I created a group and want to only allow them to do
the
| > | > following.
| > | >
| > | > 1. Join Computers to the domain
| > | > 2. Move computers between OU's
| > | > 3. Reset user passwords
| > | > 4. Create Exchange Mailboxes
| > | > 5. Add and remove groups to users.
| > | >
| > | > I tried to use the Delegation of Control wizard but it didn't seems
to
| > give
| > | > me these options. Does anyone have experience running this who
could
| > help
| > | > me out. Thanks.
| > | >
| > | > Harrison Midkiff
| > | >
| > | >
| > | >
| > |
| >
|
|
|
 
Have a read through Sanjay Tandan's Best Practices for Delegating Active
Directory Administration document published on Microsoft's site. The Best
Practices for Delegating Active Directory Administration: Appendices has a
lot of details that you may find helpful for this.
 
Hello:

After a series of errors due to to many people having domain
admin accounts
I have finally decided to run the Delegation of Control wizard
and restrict
users access. I created a group and want to only allow them
to do the
following.

1. Join Computers to the domain
2. Move computers between OU's
3. Reset user passwords
4. Create Exchange Mailboxes
5. Add and remove groups to users.

I tried to use the Delegation of Control wizard but it didn't
seems to give
me these options. Does anyone have experience running this
who could help
me out. Thanks.

Harrison Midkif
Click to expand...

These are AT LEAST permissions!!! Also take a look at the Delegation
of Control white paper.
http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
and
http://www.microsoft.com/downloads/...88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

################################
1. JOIN COMPUTERS TO THE DOMAIN
---------------------------------
Well, this is possible through the Delegation of Control Wizard. Read
the following first which gives some recommendations.

The User Right "Add workstation to the domain" by default (configured
in the
Default Domain Controllers GPO) grants EVERY AUTHENTICATED USER (even
non-admin
users) in the domain to add/join workstations to the domain. It is
best to
remove "authenticated users" from that user right or set the quota to
0

For true delegation it is better to delegate the right to create
computer
accounts and to join computers as mentioned below

Using the delegation of control wizard you can delegate the creation
of
computer accounts to the domain. This does not mean the same
user/group can
also JOIN the computer to the domain. In the DELEGWIZ.INF file
(%WINDIR%INF)
look at template 6.....
By default the "AppliesToClasses" is set to "domainDNS" (case
sensitive and
without quotes) With this you can only delegate computer account
creation at
domain level. Change that to "domainDNS,organizationalUnit,container"
(case
sensitive and without quotes) and yuo will be able to delegate at OU
level

If you delegate the creation of computer accounts to a group (e.g.
GROUP-CREATE-COMPOBJ), the member of that group that creates the
computer
becomes the owner of the computer account and automatically receives
the right
to join a computer with that name to the domain. The other members of
that
group will not be able to join the computer to the domain. In this
case only
the user that created the computer account will be able to join the
computer.
Lets say you have another group called GROUP-JOIN-COMP that is allowed
to join
(not create computer accounts) to the domain, the user who creates the
computer
account has the possibility to designate which user or group gets the
rights to
join the computer to the domain with the option ("The following group
or user
can join this computer to a domain" and this is by default Domain
Admins group)
The group mentioned in that option will be able to join the computer
to the
domain. In my opinion that is a lot of work just to create a computer
computer
account and join it.

It is however possible to pre-configure the option called "The
following group
or user can join this computer to a domain and this is by default
Domain Admins
group"

Add to the DELEGWIZ.INF file (%WINDIR%INF) a NEW template you can use
to
delegate the task of JOINING COMPUTERS TO THE DOMAIN (not the creation
of
computer accounts) The minimum rights are mentioned below!

REPLACE THE X with a NUMBER!

;----------------------------------------------------------
[templateX]
AppliesToClasses = domainDNS,organizationalUnit,container

Description = "Join a computer to the domain in an OU (computer
account
pre-created)"

ObjectTypes = computer

[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host
name","Validated
write to service principal name", "Account Restrictions"
;----------------------------------------------------------

This way you can delegate the creation of computer accounts to group1
and the
joining of the computers to group2.

It is also however possible you have a group of people who create
computers
accounts and also join them. To able so everyone in that group can
create a
computer accounts and join the computers to the domain independent who
created
the computer accounts replace TEMPLATE 6 with what is mentioned below
or
perform the delegate twice with the additional task created above! If
you want
to join a computer to the domain in a specific OU and the computer
account has
not been pre-created you cannot use the GUI at the computer. For this
you must
use the tool NETDOM so you can specify the OU the computer account
must reside
in! The latter only is only possible when you at least have the right
to create
a computer object in the designated OU. Joining will also be possible
because
you automatically become the owner of the computer account!

;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS,organizationalUnit,container

Description = "Add and/or join a computer to the domain in an OU
(computer)"

ObjectTypes = SCOPE, computer

[template6.SCOPE]
;Right to create computer objects
computer=CC

[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host
name","Validated
write to service principal name", "Account Restrictions"
;----------------------------------------------------------

################################
2. MOVE COMPUTERS BETWEEN OU’S
---------------------------------
In order to move an object in DS, you need the following three
permissions:

1) DELETE_CHILD on the source container or DELETE on the object being
moved
2) WRITE_PROP on the object being moved for two properties: RDN (name)
and
CN (or whatever happens to be the rdn attribute for this class, i.e.
ou for
org units).
3) CREATE_CHILD on the destination container.

This is not available through the delegation of control wizard, thus
you need to customize in the delegation of control wizard by selecting
the correct properties.

################################
3. RESET USER PASSWORDS
---------------------------------
To reset user passwords you need the “Reset Password†extended
right on the user object. This is also available through the
delegation of control wizard using the common delegated task “Reset
a user account’s passwordâ€

If you want to reset user passwords and force password change at next
logon you need the “Reset Password†extended right on the user
object and you need Read/Write permissions on the attribute
“pwdLastSetâ€. This is also available through the delegation of
control wizard using the common delegated task “Reset user passwords
and force password change at next logonâ€

################################
4. CREATE EXCHANGE MAILBOXES
---------------------------------
If you create a user and assign a mailbox you need:
Create User objects, write permissions for the attribute
“userAccountControl†of the user object and the extended right
“Reset Password†on the user object.
This is also available through the delegation of control wizard using
the common delegated task “Create a user accountâ€

To additionally assign a mailbox to the user you need Exchange View
Only Administrator permissions in Exchange (on ORG level or
administrative Group Level, depending on the scope wanted)

To assign a mailbox to a user account you don’t have permissions for
you need the permissions mentioned in
http://support.microsoft.com/Default.aspx?id=316792

################################
5. ADD AND REMOVE GROUPS TO USERS
---------------------------------
The permissions to change group membership is controlled through the
group and not through the user. For this you need RP/WP on the
attribute “member†of the group you want to add another security
principal to (user, group or computer)
This is also available through the delegation of control wizard using
the common delegated task “Modify the membership of a groupâ€
 
Hello,

Thanks for your helpful suggestion! :-)

Have nice day!

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
| Thread-Topic: Delegating Control...
| thread-index: AcW7FgYJky1KHFQ7TT6dn+JTM4dRmw==
| X-WBNR-Posting-Host: 69.199.17.102
| From: "=?Utf-8?B?SlBvbGljZWxsaQ==?="
<[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<#Jv#[email protected]>
<[email protected]>
| Subject: Re: Delegating Control...
| Date: Fri, 16 Sep 2005 16:26:11 -0700
| Lines: 237
| Message-ID: <[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.win2000.active_directory:33592
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Have a read through Sanjay Tandan's Best Practices for Delegating Active
| Directory Administration document published on Microsoft's site. The
Best
| Practices for Delegating Active Directory Administration: Appendices has
a
| lot of details that you may find helpful for this.
|
| "Jason Tan (MSFT)" wrote:
|
| > Hi Harrision,
| >
| > Thanks for your reply!
| >
| > Based on my search, I cannot find the document which describes all the
| > permissions since it could be much more due the different requirement.
You
| > may consider which permission should be granted to objects to custom a
| > delegate of control.
| >
| > 1. Join Computers to the domain
| > 2. Move computers between OU's
| > 3. Reset user passwords
| > 4. Create Exchange Mailboxes
| > 5. Add and remove groups to users.
| >
| > I would like to provide you with some information for your reference:
| >
| > 1. Join Computers to the domain.
| >
| > By default, domain user has permission to join 10 clients into domain.
| >
| > 2. Move computers between OU's
| >
| > You may want to delegate user/group create, list, view permission to
the
| > two OUs.
| >
| > 3. Reset user passwords
| >
| > This is a common task which you may delegate to users/groups. Please
refer
| > to "Reset user passwords and force password change at next logon"
option in
| > common task.
| >
| > 4. Create Exchange Mailboxes
| >
| > You may attempt to use common task "create, delete, and manage user
| > accounts."
| >
| > 5. Add and remove groups to users.
| >
| > You may want to delegate users/groups full control permission to the
groups
| > object.
| >
| > More information for your reference:
| > Step-by-Step Guide to Using the Delegation of Control Wizard
| >
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
| > directory/activedirectory/stepbystep/ctrlwiz.mspx
| >
| > Use this wizard to delegate administrative control
| > http://www.windowsitpro.com/Article/ArticleID/22555/22555.html?Ad=1
| >
| > Delegation of Control Wizard
| > http://www.serverwatch.com/tutorials/article.php/10825_1472441_2
| >
| > Hope the information helps. If there is anything that is unclear,
please
| > feel free to let me know.
| >
| > Thanks & Regards,
| >
| > Jason Tan
| >
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| >
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| >
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
| >
| > --------------------
| > | Reply-To: "Harrison Midkiff" <[email protected]>
| > | From: "Harrison Midkiff" <[email protected]>
| > | References: <[email protected]>
| > <[email protected]>
| > <[email protected]>
| > | Subject: Re: Delegating Control...
| > | Date: Thu, 15 Sep 2005 18:48:29 -0400
| > | Lines: 124
| > | Organization: Audio Visual Innovations, Inc.
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| > | Message-ID: <#Jv#[email protected]>
| > | Newsgroups: microsoft.public.win2000.active_directory
| > | NNTP-Posting-Host: 208.5.55.190
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.win2000.active_directory:33561
| > | X-Tomcat-NG: microsoft.public.win2000.active_directory
| > |
| > | Jason:
| > |
| > | Thanks for replying to my post.
| > |
| > | I know how to do the Delegation of Control, but the descriptions of
all
| > the
| > | permissions are not very good. Do you know any place that has good
| > | descriptions of these?
| > |
| > | Harrison Midkiff
| > | | > | > Hello harrison,
| > | >
| > | > Thanks you posting!
| > | >
| > | > I agree with kapil. You may follow his helpful suggestion. More
| > | > information
| > | > below is for your reference:
| > | >
| > | > 888204 How to use the Delegation of Control Wizard to grant
permissions
| > to
| > | > a
| > | > http://support.microsoft.com/?id=888204
| > | >
| > | > 315676 HOW TO: Delegate Administrative Authority in Windows 2000
| > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;315676
| > | >
| > | > 883381 Delegating administrator roles to an administrative group
can
| > grant
| > | > the
| > | > http://support.microsoft.com/?id=883381
| > | >
| > | > 304935 How to set Exchange Server 2000 and 2003 mailbox rights at
the
| > time
| > | > of
| > | > http://support.microsoft.com/?id=304935
| > | >
| > | > Hope the information helps. If there is anything that is unclear,
please
| > | > feel free to let me know.
| > | >
| > | > Thanks & Regards,
| > | >
| > | > Jason Tan
| > | >
| > | > Microsoft Online Partner Support
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > =====================================================
| > | >
| > | > When responding to posts, please "Reply to Group" via your
newsreader so
| > | > that others may learn and benefit from your issue.
| > | >
| > | > =====================================================
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | > rights.
| > | >
| > | >
| > | >
| > | > --------------------
| > | > | Thread-Topic: Delegating Control...
| > | > | thread-index: AcW5uks0VtgKAxwDQMKh1bAO+sGjUQ==
| > | > | X-WBNR-Posting-Host: 203.99.195.2
| > | > | From: "=?Utf-8?B?a2FwaWw=?=" <[email protected]>
| > | > | References: <[email protected]>
| > | > | Subject: RE: Delegating Control...
| > | > | Date: Wed, 14 Sep 2005 22:57:02 -0700
| > | > | Lines: 33
| > | > | Message-ID: <[email protected]>
| > | > | MIME-Version: 1.0
| > | > | Content-Type: text/plain;
| > | > | charset="Utf-8"
| > | > | Content-Transfer-Encoding: 7bit
| > | > | X-Newsreader: Microsoft CDO for Windows 2000
| > | > | Content-Class: urn:content-classes:message
| > | > | Importance: normal
| > | > | Priority: normal
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | > | Newsgroups: microsoft.public.win2000.active_directory
| > | > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > | > microsoft.public.win2000.active_directory:33520
| > | > | X-Tomcat-NG: microsoft.public.win2000.active_directory
| > | > |
| > | > | Hello harrison,
| > | > |
| > | > | you can definatly find these options but for that you have to do a
| > | > customize
| > | > | delegation. that will give you all the options. Also be careful
about
| > | > the
| > | > | adminSDHolder
| > | > |
| > | > | you can also go through article: KB 817433
| > | > |
| > | > | need help mail me.
| > | > |
| > | > | "Harrison Midkiff" wrote:
| > | > |
| > | > | > Hello:
| > | > | >
| > | > | > After a series of errors due to to many people having domain
admin
| > | > accounts
| > | > | > I have finally decided to run the Delegation of Control wizard
and
| > | > restrict
| > | > | > users access. I created a group and want to only allow them to
do
| > the
| > | > | > following.
| > | > | >
| > | > | > 1. Join Computers to the domain
| > | > | > 2. Move computers between OU's
| > | > | > 3. Reset user passwords
| > | > | > 4. Create Exchange Mailboxes
| > | > | > 5. Add and remove groups to users.
| > | > | >
| > | > | > I tried to use the Delegation of Control wizard but it didn't
seems
| > to
| > | > give
| > | > | > me these options. Does anyone have experience running this who
| > could
| > | > help
| > | > | > me out. Thanks.
| > | > | >
| > | > | > Harrison Midkiff
| > | > | >
| > | > | >
| > | > | >
| > | > |
| > | >
| > |
| > |
| > |
| >
| >
|
 
Back
Top