none
I want to create one delegate permission with custom role RRS feed

  • Question

  • Hi Support,

    I want to create one one delegate permission, user have the permission to manage one OU and join client pc on domain & change the client pc network adapter settings.

    I don't want to allow admin roles to any one of the users. Please help to share the permission.  

    Friday, July 5, 2019 11:42 AM

Answers

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    For our three delegate permission:

    1. Have the permission to manage one OU

    I can not find such delegate permission under Delegation of Controller Wizard: Delegate the following common tasks & Create a custom task to delegate.



    2. Join client pc on domain

    By default, common domain user can join 10 PC to the domain. But we can change it through 
    ms-DS-MachineAccountQuota attributes.





    3. Change the client pc network adapter settings

    We must be the members of local Administrators group, we can change 
    the client pc network adapter settings.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 8, 2019 4:37 AM
    Moderator
  • Hi Daisy,

    We can changed the domain pc adapter setting without make a local admin. 

    it is possible, we can assign permission via delegate and user can we able to join pc in domain and change the adapter settings. 

    Monday, July 8, 2019 8:46 AM
  • Hi,
    Would you please share the information with us? Thank you for your sharing and time in advance!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 9, 2019 7:21 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 11, 2019 3:25 AM
    Moderator
  • HI Daisy,

    I am unable to change the domain user PC ip address and remove user from domain. 

    Please help to share the steps.

    Thursday, July 11, 2019 10:36 AM
  • Hi,
    We can share the steps here. But would you please describe the steps in details?

    Thank you very much!




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 12, 2019 10:40 AM
    Moderator
  • Hi Daisy,

    I want to create one user and assign delegate, they can remove and join user computer on domain.

    Wednesday, July 17, 2019 11:00 AM
  • Hi,
    I do a test in my test environment, we can try the following steps below:

    1. If we do not want to common domain users to add PC to domain, we can change the value of the attribute:ms-DS-MachineAccountQuota attributes=0 (by default, the value is 10)

    If we want to keep common domain users adding PC to domain, we can keep the value of the attribute:ms-DS-MachineAccountQuota attributes=10



    2. Create an OU called PC in AD and create the computer (we called Win10-1709) in this OU.


    3. Right-click the OU and select Delegate Control->click Next button->add users or groups->click Next button->click Create a custom task to delegate->click Next button-> click Only the following objects in this folders.

    Check the "Computer Objects" below, and check "Create selected objects in this folder" and "Delete selected objects in this folder" and click "Next".

    4. Click Next button, and under General, we check the following boxes.

    Reset password
    read and write account restrictions
    Validated write to DNS host name
    Validate write to service principal name



    Then I can join the computer to the domain and remove the PC from the domain (when the value of ms-DS-MachineAccountQuota attributes is 0 ).



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 18, 2019 11:09 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 22, 2019 11:36 AM
    Moderator
  • Hi Daisy,

    Thanks for support.

    Saturday, August 3, 2019 7:15 AM
  • Hi,
    You are welcome! Thank you for your update.

    As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you! 
     
    Have a nice day!



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 12, 2019 9:26 AM
    Moderator