admin permission to user without access to AD Objects
Hi, I want to give administrator permission for a domain user to manage all the clients and to install some softwares etc.but i dont want that user to do any admin operations in Active directory so how should I achieve this? if i am giving adding that user as member of administrator or domain admins he will get the AD objects access ? Pls help me
April 3rd, 2012 6:30am

You can make use of Delegation in this scenarion. YOu can delegate some of the AD related tasks on an OU. Refer the link below which expalins the delegation. http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html This way you can grant some of the access, without adding user accounts in domain admin or member of adminsitrator group Regards, _Prashant_MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2012 6:45am

You can deploy the software automatically to all the systems by using SCCM. Have you check this wiki article. Thanks
April 3rd, 2012 6:57am

Prashant, its not a question about how to delegate.. and Yousuf, thanks for your reply Yes I can deploy softwares but thats not my question I just said as an example.
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2012 7:11am

Got it... Basically you can add the domain users in Local administrator group ( This will not yeild them Active directory access). They will be local administrator and will be able to perform some administrator task on the local computer. You can use Restricted group policy to accomplish this. http://www.windowsecurity.com/articles/using-restricted-groups.html Question - I want to give administrator permission for a domain user to manage all the clients ? If you want them to manage all computer accounts in your domain then delegation is the only way from which you can acheive this. Regards, _Prashant_ MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
April 3rd, 2012 7:21am

Hello Rajah, Check my wiki article mention above for step by step process to make a domain user as a local administrator of all the client PCs. http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-domain-user-as-a-local-administrator-for-all-pcs.aspx Domain users need not to be a member of Domain Admin group to do software installation. Specify clearly what are the other task you want to achieve, so that we can help you. Thanks
Free Windows Admin Tool Kit Click here and download it now
April 3rd, 2012 8:18am

Hi, Thanks for both of you. the answers seems to be okay but what my exact requirement is a application software is to be installed on some server that application tries to register a service . it is not happening I found the access denied error in logs of that application even i made that domain user as a member of local administrators group. when I do it from Domain Administrator or local administrator account its happening but not from that user.
April 4th, 2012 5:45am

Hi, Thanks for both of you. the answers seems to be okay but what my exact requirement is a application software is to be installed on some server that application tries to register a service . it is not happening I found the access denied error in logs of that application even i made that domain user as a member of local administrators group. when I do it from Domain Administrator or local administrator account its happening but not from that user. Disable UAC on that server and then try to install the application.This posting is provided "AS IS" with no warranties or guarantees and confers no rights. Most of the downtime's are caused because of SysAdmin's curiosity ! - Santosh
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2012 6:00am

Hi, Thanks for both of you. the answers seems to be okay but what my exact requirement is a application software is to be installed on some server that application tries to register a service . it is not happening I found the access denied error in logs of that application even i made that domain user as a member of local administrators group. when I do it from Domain Administrator or local administrator account its happening but not from that user. Intresting, By Default Local administrators have installation rights. I.e For Eg - If I am a local administrator for one of the member server , I will be having full access to install software on it. So you mean to say that you have added them on the local administrator group of the member server , still they are not able to install the software? when I do it from Domain Administrator or local administrator account its happening but not from that user. This is confusing , You said local administrator can not install the software, then how come you have able to install it with Local administrator rights on it? Regards, _Prashant_MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.
April 4th, 2012 6:14am

Hi prashant again you are not understood my point its not about application installation its about registering a sevice I am able to install the softwares But after the installtion I need to run a batch file related to that software which registers a service with the operating system. so that service regustration access was denied . I Changed the user Access control to Never notify and changed the group membership as administrator in control panel user accounts also and rebooted the server then everything went smooth any how thanks for your support guys Thanks rajah r
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2012 7:39am

Hi, Thanks for both of you. the answers seems to be okay but what my exact requirement is a application software is to be installed on some server that application tries to register a service . it is not happening I found the access denied error in logs of that application even i made that domain user as a member of local administrators group. when I do it from Domain Administrator or local administrator account its happening but not from that user. Disable UAC on that server and then try to install the application.This posting is provided "AS IS" with no warranties or guarantees and confers no rights. Most of the downtime's are caused because of SysAdmin's curiosity ! - Santosh
April 4th, 2012 12:55pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics