Assuming the servers are at least Windows 2000 or newer, the administrative tools can be installed using adminpak.msi which is found in %systemroot%\system32 which is usually c:\winnt\system32 or c:\windows\system32.
It is also possible to delegate control in the AD over a couple of servers either individually or by OU, but the best practice would be to use a separate account for the admin tasks as Daniel describes and use a group to delegate control in the AD if that's really necessary. You want to be careful not to delegate too much control. Full control over the OU gives the delegated administrators too much since they would be able to create additional OUs and any kind of objects that they would want. Very bad in most enterprises. Only delegate control in AD if you absolutely have too and then audit those activities closely to avoid disasters of forest-wide proportions. Wook -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Wednesday, January 10, 2007 6:12 AM To: [email protected] Subject: RE: [ActiveDir] Domain Admin I might go so far as to create a new account for the consultant. Inform the consultant to only use the new account when they need to perform the work on the two servers. A new account will allow you to audit their work and also watch for "creep". Also, do not give the elevated account e-mail or anything like so that there is no way those servers can pick up anything like a virus or spyware. Dan > -------- Original Message -------- > Subject: [ActiveDir] Domain Admin > From: "Patrick" <[EMAIL PROTECTED]> > Date: Tue, January 09, 2007 10:19 pm > To: <[email protected]> > > I have a consultant that is asking for domain admin rights on 2 member > servers. I have google it but nothing seems to work out right. The servers > are on the domain but the consultant just has a domain user account. He can > logon on to the servers while they are on the domain but the administrative > tools is not there (as it should). I want to creat an OU and put the two > machines in that ou and delegate control to the consultants domain user > account. Any other way to do this without registry hacks or scripts? All > assistance welcomed List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
