Need help with delegating GPO rights

[Michael Holzemer]

We have some technicians that are somewhat inadequate when it comes to
being computer savvy. But I need them to be able to add workstations
to the domain, logon on to servers (DCs and Member), shut down servers
and view the event log.

I understand the Add Workstations To Domain right works but it only
works up to 10 times. I know the Create computer objects right would
solve this but with wanting them to be able to login, I don't actually
want them to be able to go into the structure and add objects by
mistake in there, other than the computers they add to the domain.

What have you seen that indicates that the add workstation to the domain
right works only 10 times? I am familiar with the fact that the default
logons without a domain controller is 10 times (max 50), but have yet to see
a limit on the add rights. Is this perhaps what you are referring to?

--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

Learn script faster by searching here
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp

 

[Herb Martin]

We have some technicians that are somewhat inadequate when it comes to

being computer savvy. But I need them to be able to add workstations
to the domain, logon on to servers (DCs and Member), shut down servers
and view the event log.

Pretty much sounds like an "Account Operator" -- check it out and see
if that meets you needs.

 

[BoostGeek]

We have some technicians that are somewhat inadequate when it comes to
being computer savvy. But I need them to be able to add workstations
to the domain, logon on to servers (DCs and Member), shut down servers
and view the event log.

I understand the Add Workstations To Domain right works but it only
works up to 10 times. I know the Create computer objects right would
solve this but with wanting them to be able to login, I don't actually
want them to be able to go into the structure and add objects by
mistake in there, other than the computers they add to the domain.

Any info would be great. Thanks.


BoostGeek

 

[BrianK]

Account operator would allow also allow the techs to create user accounts &
groups, probably something that Boast does not want.
Boast,
Take an OU, right click, select Delegate control, and then give the techs
the ability to add computer objects to the domain. The techs can then add
computer accounts to the domain.
As far as logon onto the server, make the techs Server Operators to log and
shut down the server.
HTH,
BrianK

 

[BrianK]

Domain Users are allowed to create up to 10 computer accounts in the domain.
The purpose was for RIS so that a user could stage their own computers.
http://www.microsoft.com/technet/tr...technet/prodtechnol/winxppro/proddocs/526.asp
HTH,
BrianK