I would also follow these steps to contain security within AD as much as possible.
http://technet.microsoft.com/en-us/magazine/2006.05.smarttips.aspx There are many others but at least use the Delegation of Control Wizard to configure OU Admins for each OU you want to control. Josh Rickard From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On Behalf Of Adam Compton Sent: Thursday, June 6, 2013 12:30 PM To: Edward Ned Harvey (lopser) Cc: tech@lists.lopsa.org Subject: Re: [lopsa-tech] AD management permissions You may be interested in the "Delegation of Control Wizard": http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/ These permissions are all ACL based, so you can assign them by hand, but the wizard is a nice shortcut. - Adam Compton On 6/6/13 9:49 AM, Edward Ned Harvey (lopser) wrote: I've only been searching for like a half an hour yet, but so far I'm finding only confusion - Suppose you want to grant some admins the permission to join computers to an AD domain, but only under a certain OU... Or you want certain admins to be able to reset passwords while others cannot... Where are these permissions located? I started looking at AD RMS (rights management service) but I hope that's the wrong direction. Because it requires a combination of stuff installed on the server and client, which breaks the standard molds we've deployed in this organization so far, so it will require me to create a new OU, new GPO, new security policy (not to mention a new server)... Using IIS / .Net / and various other services installed on the server, but significantly different from the others we've deployed before, as well as the AD RMS client on your laptop... It sounds complex and labor intensive, and I'm not even sure it's what I'm supposed to be doing, so I'm hoping this is the wrong direction to go... _______________________________________________ Tech mailing list Tech@lists.lopsa.org<mailto:Tech@lists.lopsa.org> https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
