RE: [ActiveDir] Delegation of privilege

Tue, 19 Jul 2005 06:29:20 -0700 

Hi Mark,


You might want to have a look at the Active Directory Delegation Best Practices 
document available from MS @ 
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
 Might not answer you question directly but it's an awesome primer on 
delegation.

Francis 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: July 19, 2005 9:12 AM
To: ActiveDir.org
Subject: Re: [ActiveDir] Delegation of privilege

Search microsoft.com for secdefs.doc

The document is....

Default access control settings in Windows Server 2003

Mark
-----Original Message-----
From: "TIROA YANN" <[EMAIL PROTECTED]>
Date: Tue, 19 Jul 2005 15:03:40
To:<[email protected]>
Subject: RE: [ActiveDir] Delegation of privilege

Ok, Thanks Sakari and Dan for your answers :) 
 
I will test TWEAKUI for Windows XP. 
 
But in fact, my need is rather giving a user server op, or equivalent 
privilege, for only *one DC* and not the whole DCs of my Domain. 
 
Last question:  Where all the privileges are defined for built-in accounts ? 
are they in a .ini file or whatever ? 
Ex: domains admin have the right to do this action. I'd like to find where 
those privileges are declared.... in an special ACL, a file, a registry ?.... 
 
Thanks for Input :)
Yann
 
 De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme 
Envoyé : mardi 19 juillet 2005 08:47 À : [email protected] Objet : 
RE: [ActiveDir] Delegation of privilege

 
 
 
This may be a “rotten” answer or a perfect answer…  Check out TWEAKUI for 
Windows XP.  It’s ACCESS CONTROL section gives you “UI” ability to change very 
specific activities’ permissions, e.g. creating a share, etc.  You might try it 
(in a lab, first of course) as far as how it works on 2003 for the specific 
things you are trying to accomplish.  Because the Access Control will be server 
(in your case, DC) specific, it might just work.  I’ve NOT tried it… but I 
think it’d be worth a shot. 
 
 
 
Dan
 
 
 
 
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Monday, July 18, 2005 3:01 PM
To: [email protected]
Subject: RE: [ActiveDir] Delegation of privilege
 
 
 
Hi Yann,
 
 
 
You could grant your user those privileges that are listed as User Rights, by 
applying a corresponding Group Policy Object to only one DC. However, this is 
probably not enough for you. For example, you cannot grant a privilege to 
format hard drives or share folders this way.
 
 
 
Yours, Sakari
 
 
 
 
 
   
 
   
       
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]   On Behalf Of TIROA   YANN
Sent: Monday, July 18,   2005 8:39 PM
To:   [email protected]
Subject: [ActiveDir] Delegation of   privilege
   
   
   
Hello AD Gurus   :)
   
   
 
   
   
I would like to give to one   of my user "server operator" privilege on only 
one DC, and not the whole   DCs of my AD 2003.
   
   
I know that DCs do not   have sam locally, and the only way to give this 
privilege is to use the   Built-in Groups in the Built-in Container. But doing 
this allow my user   to be server op for all DCs in my domain.
   
   
 
   
   
The purpose of my question   is;
   
   
=> to give one user the   privilege to fully manage *only one*  DC  with 
"server   operator" privilege, without having the right to use MMCs such as 
ADUC,   Schema, dssite, replmon, repadmin commands.
   
   
 
   
   
Is this possible   ?
   
   
 
   
   
Thanks for   input.
   
   
 
   
   
Cheers,
   
   
 
   
   
Yann
   
   
 
   
   
   
 
[EMAIL PROTECTED]       šŠV«r¯yÊ&ý§-Š÷Š¾4™¨¥iËb½çb®Šà

Reply via email to