User group assigned to OU of computers for...

[S. Valdez]

the ability to perform certain types of jobs, such as
install printers and add workstations to a domain -
without having true administrator privileges on the
network but kind of on the workstations. What would be the
best way to configure this?

This is the way I think will work:
1. Create an OU of computers
2. Create a user group such as 'AdSupport'
3. On the OU create a Group Policy for it and configure
the computer portion of it, allowing 'AdSupport' the
ability to do specific User Rights Assignments and
Security Options.

Feedback on this setup would be greatly appreciated and if
you know of a better way to do this please let me know.

 

[Steven L Umbach]

The problem with your solution is that the user right "add
workstations to the domain" only applies to settings in the domain
controller level security policy and is ignored at any other level. That
user right only gives designated groups/user the right to add ten
workstations to the domain. A solution that may work for that is Active
Directory delegation where you can delegate "certain" administrative tasks
to a user without being an administrator, such as managing users/groups,
edit a GPO, and adding computers. You can also add domain users to the local
administrators group on domain workstations, which would give them no
special powers for the domain. You could do that on a large number of
computers for an OU using "restricted groups" if need be. --- Steve

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/proddocs/entserver/526.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;235531