My original post wasn't worth reading!
Im a bit confused with types of administrator;
Basically i want my technicians to be able to have read access to the active directory, and be able to reset passwords on acounts
They also must be able to add / remove machines from the domain.
I've tried account operators, but this doesnt let them do the adding / removing machines, and domain admins seems to give them more or less full control in AD.
What would you suggest?
My original post wasn't worth reading!
You need to use the delegation of authority wizard. Resetting passwords is easy from that and if you have your machines in an OU of their own then you can delegate them more permissions over that than containers with users in etc.
With regards to ChrisH check this website address for a step by step guide:
this is great, thanks a lot.
One thing though...
i forgot to mention the domain setup, basically its mostly 2003 but one of the DC's is 2000 (dont snigger)
Will it still work?
Erm...? I believe it won't I think 2000 cripples the extra functionality of 2003 but I think Chris will know better than I.
You can have domain controllers running Windows 2000 Server in a Windows 2003 domain. You just need the most recent version of adminpak.msi to be manage it from Windows 2000 or XP.
Yeah, but you wont be able to raise the domain functional level (and get the extra features) to Windows 2003 Server.
started to look at this, and it could be the solution...
it will work nicely for controlling what they can and cant see in the active directory, however I still cant figure out what permissions to give to allow a non domain admin the ability to join a computer to a domain.
I've added my test user to a group called technicains, and using the delegate control wizard i've allowed the test user to be able to create computer accounts (which works) but when i log on to a machine as that test user, the network ID settings are greyed out.
What am i doing wrong~?
Did you also assign them the 'add computers to domain' user right?
yes, here is what i have done in full
made a new group "technicians"
made a new user "penguin", who is a standard user not an admin
made a new container "test"
added penguin to technicians
delegated required control over test ou
gone to default domain policy, computer configuration, windows settings, security settings, local policies, user rights assignment and given the group technicians "add workstations to domain"
penguin can now do the things in the test ou i want, and not the things i dont great.
However if penguin logs onto a workstation and goes to the network ID settings, all options are greyed out (even after a forced policy refresh)
Basically I need to ask a new question;
how to i allow a non administrator user to join a machine to the domain (for example a syspreped out of the box machine)
The way I thought it worked is that any user account can add up to 10 computers to a domain, if they need to add more they will need to be a member of the account operators group or have permissions delegated to them in AD.
I would guess the change name button is greyed out because they are not local administrators. Perhaps you should create a "tech" group with all of your IT staff in the group and add it to the local administrators groups on your PCs (doable through restricted groups in group policy or manually).
You can't do that with a domain account. You need a local group on the machine with 'add computer to domain' rights.
that explains it then;
so am i right in saying, other than making my technicians member of domain admins (and giving them unwanted access to the AD) there is no way i can let them add remove and chage machine identifications?
They can if the machine is already on the domain. But it's a bit pointless then.
There are currently 1 users browsing this thread. (0 members and 1 guests)