RE: [ActiveDir] Delegation of privilege

[Dan Holme]

This may be a “rotten” answer or a perfect answer…  Check out TWEAKUI for Windows XP.  It’s ACCESS CONTROL section gives you “UI” ability to change very specific activities’ permissions, e.g. creating a share, etc.  You might try it (in a lab, first of course) as far as how it works on 2003 for the specific things you are trying to accomplish.  Because the Access Control will be server (in your case, DC) specific, it might just work.  I’ve NOT tried it… but I think it’d be worth a shot.   Dan   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Monday, July 18, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of privilege   Hi Yann,   You could grant your user those privileges that are listed as User Rights, by applying a corresponding Group Policy Object to only one DC. However, this is probably not enough for you. For example, you cannot grant a privilege to format hard drives or share folders this way.   Yours, Sakari       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, July 18, 2005 8:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegation of privilege Hello AD Gurus :)   I would like to give to one of my user "server operator" privilege on only one DC, and not the whole DCs of my AD 2003. I know that DCs do not have sam locally, and the only way to give this privilege is to use the Built-in Groups in the Built-in Container. But doing this allow my user to be server op for all DCs in my domain.   The purpose of my question is; => to give one user the privilege to fully manage *only one*  DC  with "server operator" privilege, without having the right to use MMCs such as ADUC, Schema, dssite, replmon, repadmin commands.   Is this possible ?   Thanks for input.   Cheers,   Yann