Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows Server 2003 / Security / July 2007

Tip: Looking for answers? Try searching our database.

OU delegation

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
tin - 26 Jul 2007 17:08 GMT
Hello, I've delegated full controll to a security group to an OU, but that
group still not able to manage computers remotely. For instance, they cannot
perform administrative tasks on computers in that are in this OU. I know I
can run a script to add this security group to all the active computers in
that OU but I just wanted to know if there's another way to do this? I dont
think you can automate this through GPO though, but I could be wrong.

Thanks,
TC
Reply to this Message
Roger Abell [MVP] - 26 Jul 2007 19:26 GMT
Restricted Group definitions in GPO may be used to add a domain
group as a member in a machine local group.  Until the computers
in that OU believe that the accounts with the OU delegation have
rights on/over them the OU delegation will be limited to privileges
on the computer objects in AD (as distinct from the computers).

Roger

> Hello, I've delegated full controll to a security group to an OU, but that
> group still not able to manage computers remotely. For instance, they
[quoted text clipped - 6 lines]
> Thanks,
> TC
Reply to this Message
jwgoerlich@gmail.com - 27 Jul 2007 01:02 GMT
Interesting. I have always simply added the groups to the computers'
local Adminstrators group. The same thing could be done by adding
Administrators to the "Restricted Groups" setting and specifying the
delegated group.

This setting is under:

Computer Configuration
Windows Settings > Security Settings > Restricted Groups

Regards,

J Wolfgang Goerlich

> Hello, I've delegated full controll to a security group to an OU, but that
> group still not able to manage computers remotely. For instance, they cannot
[quoted text clipped - 5 lines]
> Thanks,
> TC
Reply to this Message
Roger Abell [MVP] - 27 Jul 2007 07:37 GMT
> Interesting. I have always simply added the groups to the computers'
> local Adminstrators group. The same thing could be done by adding
[quoted text clipped - 5 lines]
> Computer Configuration
> Windows Settings > Security Settings > Restricted Groups

Just to be clear, the way one would do this, add a domain group
named for example OuControllers to the Administrators group
on all machines in the OU, is to add a Restricted Group definition
in a GPO linked to that OU.  The Restricted Group definition would
be for the group OuControllers, one would leave the Members list
empty (not set) and would type in Administrators as the one entry
in the Member-Of list.

Roger

>> Hello, I've delegated full controll to a security group to an OU, but
>> that
[quoted text clipped - 10 lines]
>> Thanks,
>> TC
Reply to this Message
tin - 27 Jul 2007 20:08 GMT
I came across this one policy but wasn't sure what it for.

Thank you so much for all you guys help!

>> Interesting. I have always simply added the groups to the computers'
>> local Adminstrators group. The same thing could be done by adding
[quoted text clipped - 30 lines]
>>> Thanks,
>>> TC
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.