Guest topokin Posted March 11, 2008 Posted March 11, 2008 I need to resolve the following administrative priviledges. 1) Group of helpdesk users should have administrative priviledge on members servers in the domain. The priviledge should permit them being able to administer everything on these systems, including Event-viewer, services and schedules. 2) A particular service account should only be able to add new system (clients and member servers) into the domain. I looked through delegation but could not find how to configured these priviledges. There are Account, Printer, and Server operators groups in the Builtin container. Do these group have domain wide priviledges or the priviledges are only limited to the domain controllers. Thanks for your assistance. topokin
Guest Danny Sanders Posted March 11, 2008 Posted March 11, 2008 Re: Administrative priviledge > 1) Group of helpdesk users should have administrative priviledge on > members > servers in the domain. The priviledge should permit them being able to > administer everything on these systems, including Event-viewer, services > and > schedules. Create a group, add the users to the group. Add the group to the Administrator's group on each server you want them to be admin on. > 2) A particular service account should only be able to add new system > (clients and member servers) into the domain. What do you mean by "service account"? By default a "user" can add to computers to the domain. That can be increased with a reg hack. hth DDS "topokin" <topokin@discussions.microsoft.com> wrote in message news:F3896DCC-B1CF-42C9-B0A3-B4065D979451@microsoft.com... >I need to resolve the following administrative priviledges. > > 1) Group of helpdesk users should have administrative priviledge on > members > servers in the domain. The priviledge should permit them being able to > administer everything on these systems, including Event-viewer, services > and > schedules. > > 2) A particular service account should only be able to add new system > (clients and member servers) into the domain. > > I looked through delegation but could not find how to configured these > priviledges. > > There are Account, Printer, and Server operators groups in the Builtin > container. Do these group have domain wide priviledges or the priviledges > are > only limited to the domain controllers. > > Thanks for your assistance. > > topokin > > > >
Guest topokin Posted March 11, 2008 Posted March 11, 2008 Re: Administrative priviledge > > 2) A particular service account should only be able to add new system > > (clients and member servers) into the domain. > > What do you mean by "service account"? By default a "user" can add to > computers to the domain. That can be increased with a reg hack. What I meant here is the account will be used by the Client Administrator to add new client into the domain through the PacketingSoftware. "Danny Sanders" wrote: > > 1) Group of helpdesk users should have administrative priviledge on > > members > > servers in the domain. The priviledge should permit them being able to > > administer everything on these systems, including Event-viewer, services > > and > > schedules. > > Create a group, add the users to the group. Add the group to the > Administrator's group on each server you want them to be admin on. > > > 2) A particular service account should only be able to add new system > > (clients and member servers) into the domain. > > What do you mean by "service account"? By default a "user" can add to > computers to the domain. That can be increased with a reg hack. > > > hth > DDS > > "topokin" <topokin@discussions.microsoft.com> wrote in message > news:F3896DCC-B1CF-42C9-B0A3-B4065D979451@microsoft.com... > >I need to resolve the following administrative priviledges. > > > > 1) Group of helpdesk users should have administrative priviledge on > > members > > servers in the domain. The priviledge should permit them being able to > > administer everything on these systems, including Event-viewer, services > > and > > schedules. > > > > 2) A particular service account should only be able to add new system > > (clients and member servers) into the domain. > > > > I looked through delegation but could not find how to configured these > > priviledges. > > > > There are Account, Printer, and Server operators groups in the Builtin > > container. Do these group have domain wide priviledges or the priviledges > > are > > only limited to the domain controllers. > > > > Thanks for your assistance. > > > > topokin > > > > > > > > > > >
Guest Danny Sanders Posted March 11, 2008 Posted March 11, 2008 Re: Administrative priviledge I don't know what the PacketingSoftware is or how it works. To have an account that is able to add more than 10 computers to the domain see: http://support.microsoft.com/kb/243327/en-us hth DDS "topokin" <topokin@discussions.microsoft.com> wrote in message news:09D1DAA7-EDDD-4F76-8634-99D851D361B9@microsoft.com... >> > 2) A particular service account should only be able to add new system >> > (clients and member servers) into the domain. >> >> What do you mean by "service account"? By default a "user" can add to >> computers to the domain. That can be increased with a reg hack. > > What I meant here is the account will be used by the Client Administrator > to > add new client into the domain through the PacketingSoftware. > > "Danny Sanders" wrote: > >> > 1) Group of helpdesk users should have administrative priviledge on >> > members >> > servers in the domain. The priviledge should permit them being able to >> > administer everything on these systems, including Event-viewer, >> > services >> > and >> > schedules. >> >> Create a group, add the users to the group. Add the group to the >> Administrator's group on each server you want them to be admin on. >> >> > 2) A particular service account should only be able to add new system >> > (clients and member servers) into the domain. >> >> What do you mean by "service account"? By default a "user" can add to >> computers to the domain. That can be increased with a reg hack. >> >> >> hth >> DDS >> >> "topokin" <topokin@discussions.microsoft.com> wrote in message >> news:F3896DCC-B1CF-42C9-B0A3-B4065D979451@microsoft.com... >> >I need to resolve the following administrative priviledges. >> > >> > 1) Group of helpdesk users should have administrative priviledge on >> > members >> > servers in the domain. The priviledge should permit them being able to >> > administer everything on these systems, including Event-viewer, >> > services >> > and >> > schedules. >> > >> > 2) A particular service account should only be able to add new system >> > (clients and member servers) into the domain. >> > >> > I looked through delegation but could not find how to configured these >> > priviledges. >> > >> > There are Account, Printer, and Server operators groups in the Builtin >> > container. Do these group have domain wide priviledges or the >> > priviledges >> > are >> > only limited to the domain controllers. >> > >> > Thanks for your assistance. >> > >> > topokin >> > >> > >> > >> > >> >> >>
Guest topokin Posted March 11, 2008 Posted March 11, 2008 Re: Administrative priviledge Sorry, I am just coming from an NT domain into AD. What the packetingSoftware does is to setup new client and add it to the domain. I will assume that a certain Admin priviledge is required to join new client to a domain. The idea is to give just this priviledge to this special account, instead of using DomainAdministratorAccount. "Danny Sanders" wrote: > I don't know what the PacketingSoftware is or how it works. > To have an account that is able to add more than 10 computers to the domain > see: > http://support.microsoft.com/kb/243327/en-us > > > hth > DDS > > "topokin" <topokin@discussions.microsoft.com> wrote in message > news:09D1DAA7-EDDD-4F76-8634-99D851D361B9@microsoft.com... > >> > 2) A particular service account should only be able to add new system > >> > (clients and member servers) into the domain. > >> > >> What do you mean by "service account"? By default a "user" can add to > >> computers to the domain. That can be increased with a reg hack. > > > > What I meant here is the account will be used by the Client Administrator > > to > > add new client into the domain through the PacketingSoftware. > > > > "Danny Sanders" wrote: > > > >> > 1) Group of helpdesk users should have administrative priviledge on > >> > members > >> > servers in the domain. The priviledge should permit them being able to > >> > administer everything on these systems, including Event-viewer, > >> > services > >> > and > >> > schedules. > >> > >> Create a group, add the users to the group. Add the group to the > >> Administrator's group on each server you want them to be admin on. > >> > >> > 2) A particular service account should only be able to add new system > >> > (clients and member servers) into the domain. > >> > >> What do you mean by "service account"? By default a "user" can add to > >> computers to the domain. That can be increased with a reg hack. > >> > >> > >> hth > >> DDS > >> > >> "topokin" <topokin@discussions.microsoft.com> wrote in message > >> news:F3896DCC-B1CF-42C9-B0A3-B4065D979451@microsoft.com... > >> >I need to resolve the following administrative priviledges. > >> > > >> > 1) Group of helpdesk users should have administrative priviledge on > >> > members > >> > servers in the domain. The priviledge should permit them being able to > >> > administer everything on these systems, including Event-viewer, > >> > services > >> > and > >> > schedules. > >> > > >> > 2) A particular service account should only be able to add new system > >> > (clients and member servers) into the domain. > >> > > >> > I looked through delegation but could not find how to configured these > >> > priviledges. > >> > > >> > There are Account, Printer, and Server operators groups in the Builtin > >> > container. Do these group have domain wide priviledges or the > >> > priviledges > >> > are > >> > only limited to the domain controllers. > >> > > >> > Thanks for your assistance. > >> > > >> > topokin > >> > > >> > > >> > > >> > > >> > >> > >> > > >
Guest Danny Sanders Posted March 12, 2008 Posted March 12, 2008 Re: Administrative priviledge Set up an account for the packetering software (just a regular user) to run under and modify how many computers it can add to the domain by using this link: http://support.microsoft.com/kb/243327/en-us hth DDS "topokin" <topokin@discussions.microsoft.com> wrote in message news:46D67438-99E1-4B4D-A8FD-85EDEB5600E3@microsoft.com... > Sorry, I am just coming from an NT domain into AD. > > What the packetingSoftware does is to setup new client and add it to the > domain. I will assume that a certain Admin priviledge is required to join > new > client to a domain. The idea is to give just this priviledge to this > special > account, instead of using DomainAdministratorAccount. > > > "Danny Sanders" wrote: > >> I don't know what the PacketingSoftware is or how it works. >> To have an account that is able to add more than 10 computers to the >> domain >> see: >> http://support.microsoft.com/kb/243327/en-us >> >> >> hth >> DDS >> >> "topokin" <topokin@discussions.microsoft.com> wrote in message >> news:09D1DAA7-EDDD-4F76-8634-99D851D361B9@microsoft.com... >> >> > 2) A particular service account should only be able to add new >> >> > system >> >> > (clients and member servers) into the domain. >> >> >> >> What do you mean by "service account"? By default a "user" can add to >> >> computers to the domain. That can be increased with a reg hack. >> > >> > What I meant here is the account will be used by the Client >> > Administrator >> > to >> > add new client into the domain through the PacketingSoftware. >> > >> > "Danny Sanders" wrote: >> > >> >> > 1) Group of helpdesk users should have administrative priviledge on >> >> > members >> >> > servers in the domain. The priviledge should permit them being able >> >> > to >> >> > administer everything on these systems, including Event-viewer, >> >> > services >> >> > and >> >> > schedules. >> >> >> >> Create a group, add the users to the group. Add the group to the >> >> Administrator's group on each server you want them to be admin on. >> >> >> >> > 2) A particular service account should only be able to add new >> >> > system >> >> > (clients and member servers) into the domain. >> >> >> >> What do you mean by "service account"? By default a "user" can add to >> >> computers to the domain. That can be increased with a reg hack. >> >> >> >> >> >> hth >> >> DDS >> >> >> >> "topokin" <topokin@discussions.microsoft.com> wrote in message >> >> news:F3896DCC-B1CF-42C9-B0A3-B4065D979451@microsoft.com... >> >> >I need to resolve the following administrative priviledges. >> >> > >> >> > 1) Group of helpdesk users should have administrative priviledge on >> >> > members >> >> > servers in the domain. The priviledge should permit them being able >> >> > to >> >> > administer everything on these systems, including Event-viewer, >> >> > services >> >> > and >> >> > schedules. >> >> > >> >> > 2) A particular service account should only be able to add new >> >> > system >> >> > (clients and member servers) into the domain. >> >> > >> >> > I looked through delegation but could not find how to configured >> >> > these >> >> > priviledges. >> >> > >> >> > There are Account, Printer, and Server operators groups in the >> >> > Builtin >> >> > container. Do these group have domain wide priviledges or the >> >> > priviledges >> >> > are >> >> > only limited to the domain controllers. >> >> > >> >> > Thanks for your assistance. >> >> > >> >> > topokin >> >> > >> >> > >> >> > >> >> > >> >> >> >> >> >> >> >> >>
Guest topokin Posted March 13, 2008 Posted March 13, 2008 Re: Administrative priviledge Danny, Thanks for the tips, the migration to AD is actually planned for this weekend. Just trying to put things together. Coming back to Admin-Priviledges on MemberServers, is there no way to configure it globally on the OU with delegation, instead of adding the group to each server individually. "Danny Sanders" wrote: > Set up an account for the packetering software (just a regular user) to run > under and modify how many computers it can add to the domain by using this > link: > http://support.microsoft.com/kb/243327/en-us > > > hth > DDS > > > "topokin" <topokin@discussions.microsoft.com> wrote in message > news:46D67438-99E1-4B4D-A8FD-85EDEB5600E3@microsoft.com... > > Sorry, I am just coming from an NT domain into AD. > > > > What the packetingSoftware does is to setup new client and add it to the > > domain. I will assume that a certain Admin priviledge is required to join > > new > > client to a domain. The idea is to give just this priviledge to this > > special > > account, instead of using DomainAdministratorAccount. > > > > > > "Danny Sanders" wrote: > > > >> I don't know what the PacketingSoftware is or how it works. > >> To have an account that is able to add more than 10 computers to the > >> domain > >> see: > >> http://support.microsoft.com/kb/243327/en-us > >> > >> > >> hth > >> DDS > >> > >> "topokin" <topokin@discussions.microsoft.com> wrote in message > >> news:09D1DAA7-EDDD-4F76-8634-99D851D361B9@microsoft.com... > >> >> > 2) A particular service account should only be able to add new > >> >> > system > >> >> > (clients and member servers) into the domain. > >> >> > >> >> What do you mean by "service account"? By default a "user" can add to > >> >> computers to the domain. That can be increased with a reg hack. > >> > > >> > What I meant here is the account will be used by the Client > >> > Administrator > >> > to > >> > add new client into the domain through the PacketingSoftware. > >> > > >> > "Danny Sanders" wrote: > >> > > >> >> > 1) Group of helpdesk users should have administrative priviledge on > >> >> > members > >> >> > servers in the domain. The priviledge should permit them being able > >> >> > to > >> >> > administer everything on these systems, including Event-viewer, > >> >> > services > >> >> > and > >> >> > schedules. > >> >> > >> >> Create a group, add the users to the group. Add the group to the > >> >> Administrator's group on each server you want them to be admin on. > >> >> > >> >> > 2) A particular service account should only be able to add new > >> >> > system > >> >> > (clients and member servers) into the domain. > >> >> > >> >> What do you mean by "service account"? By default a "user" can add to > >> >> computers to the domain. That can be increased with a reg hack. > >> >> > >> >> > >> >> hth > >> >> DDS > >> >> > >> >> "topokin" <topokin@discussions.microsoft.com> wrote in message > >> >> news:F3896DCC-B1CF-42C9-B0A3-B4065D979451@microsoft.com... > >> >> >I need to resolve the following administrative priviledges. > >> >> > > >> >> > 1) Group of helpdesk users should have administrative priviledge on > >> >> > members > >> >> > servers in the domain. The priviledge should permit them being able > >> >> > to > >> >> > administer everything on these systems, including Event-viewer, > >> >> > services > >> >> > and > >> >> > schedules. > >> >> > > >> >> > 2) A particular service account should only be able to add new > >> >> > system > >> >> > (clients and member servers) into the domain. > >> >> > > >> >> > I looked through delegation but could not find how to configured > >> >> > these > >> >> > priviledges. > >> >> > > >> >> > There are Account, Printer, and Server operators groups in the > >> >> > Builtin > >> >> > container. Do these group have domain wide priviledges or the > >> >> > priviledges > >> >> > are > >> >> > only limited to the domain controllers. > >> >> > > >> >> > Thanks for your assistance. > >> >> > > >> >> > topokin > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > >> >> > >> >> > >> > >> > >> > > >
Recommended Posts