Delegating permission using group policy

All replies

• 

  

  0

  Sign in to vote

  Hello,

  for local admins use Restricted groups as described in http://www.frickelsoft.net/blog/?p=13

  And for delegation see: http://jorgequestforknowledge.wordpress.com/2006/01/05/creating-a-taskpad-and-delegating-several-admin-tasks/

  http://support.microsoft.com/kb/243327/en-us and http://support.microsoft.com/kb/932455 may be also helpful for you.

  ---

  Best regards

  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/

  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  Monday, August 6, 2012 7:52 AM
• 

  

  0

  Sign in to vote

  Hi,

  If you want to grant the local admin permission on all computers to some specific users in the domain, we could try to configure Restricted Group setting via Group Policy. We could refer to the detailed steps described in the following article to try to configure the GPO.

  How to make Domain User as a Local Administrator for all PCs

  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-domain-user-as-a-local-administrator-for-all-pcs.aspx

  In addition, we could also achieve the target via PowerShell. For details, please refer to the article below.

  How Can I Add a Domain User to a Local Administrators Group?

  http://blogs.technet.com/b/heyscriptingguy/archive/2004/10/08/how-can-i-add-a-domain-user-to-a-local-administrators-group.aspx

  If you want to grant some domain admin permission to some specific, such as adding users to the domain, we could try to use Delegate Control wizard to achieve the target.

  To delegate administrative authority by using the Delegation Wizard

  1. Right-click a container or OU and select Delegate Control. The Delegation of Control Wizard Welcome page is displayed.
  2. Click Next. The Users or Groups page is displayed.
  3. On the Users or Groups page, click Add. The Select Users, Computers, or Groups page is displayed.
  4. On the Select Users, Computers, or Groups page, in the Enter the object names to select box, type the name of the user or security group to which you want to delegate tasks. You can add multiple users or security groups. When you are finished entering users or groups, click OK.
  5. On the Users or Groups page, click Next.
  6. On the Tasks to Delegate page, select the check boxes of the tasks that you want to delegate. You can also create a custom task to delegate, as described later in this appendix.
  7. Once you have selected the tasks that you want to delegate, click Next. The Delegation of Control Wizard displays a summary of the tasks you just delegated.
  8. Click Finish to complete the delegation.

  For details, please refer to the following article.

  Appendix G: Active Directory Delegation Tools

  http://technet.microsoft.com/en-us/library/cc756087(v=WS.10).aspx

  Regarding detailed information about Restricted Group, I suggest we could refer to the Microsoft KB article below, it may be useful to us.

  Restricted Groups

  http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

  Regards,

  Andy

  • Marked as answer by Andy Qi Tuesday, August 14, 2012 8:32 AM

  Wednesday, August 8, 2012 2:28 PM