I agree with many of the other posts here –
a domain level is likely the correct area to do this, simply because the usual
location for a joined computer is the Computers Container – not an OU.
If they don’t have access to the container, then they aren’t going
to be able to join them. What is the scope of the delegated
permissions? Is it ‘This object and all child objects’? Also, I
think that I’d create a new delegation in the Advanced properties of the AD
Securities tab (it might exist – if you aren’t used to using the
Advanced view of Security in AD, you won’t see it) for the techs. This
time, however – you are going to want to select Computer Objects from the
dropdown, then select ‘Full Control’ for the techs. Save this. If you don’t have a clear idea on
how to proceed, reply back. I’ll send or post detailed instructions with
pictures, if necessary, on how to do exactly what you want. -rtk From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Hi,
Thanks for the hint, but I did it too… Here are the settings I have. In the user
rights the group technicians is allowed to add computers to the domain. I also have the following perms on the
“Computers” OU List content Read all properties Write all properties Read permissions Create computer objects Delete computer objects Read Container info Write container info Read heuristics Write heuristics I used the delegation wizard on the
domain, not on the OU. Is there anything else I’m missing? Thanks
De :
TIROA YANN [mailto:[EMAIL PROTECTED] De la part de TIROA YANN Hello ;-) If You
want to delegate creation of computers for a subset of users, you may have to
create a security groups (ie:technicians group), then go to the "Default
domain controller policy" on "Domain Controllers" OU, and not on
the "Default Domain Policy" of your Domain root. Add your
group to "Join computer to the domain". Notice that you have already
security objects such as authenticated users: remove this group if necessary. Then
your users will have the rights to join computers to domain: those will
appear by default in "Computers" container. Cheers, Yann TIROA I would
run the delegation wizard at the Domain.com level and delegate the |
Title: Re: [ActiveDir] delegation not working on Win2k AD
- RE: [ActiveDir] delegation not working on Win2k AD Rick Kingslan
- RE: [ActiveDir] delegation not working on Win2k AD Bruyere, Michel
- RE: [ActiveDir] delegation not working on Win2k AD Dan Holme