-----------------------------------------------------------
Attention: Non-Delivery Report
-----------------------------------------------------------
This report is generated by the email server at:
ivytech.edu
The message with subject:
"RE: [ActiveDir] Delegation of privilege"
and attached to this report was not delivered to
the following recipients:
Address: [EMAIL PROTECTED]
Reason: 554 5.5.2 No valid recipients (554)
--------------
--- Begin Message ---
I will read carefully all the docs. u forwaded me.
I just noticed that when I do a "whoami /all" command on my DC with my domain
admin account (for example), i found this privilege:
SeChangeNotifyPrivilege activate
SeImpersonatePrivilege activate
SeCreateGlobalPrivilege activate
I wonder if just giving a user these privileges, this user may have the same
privilege .... but i thing it is a .... a naive thought :-)
I will rather read the secdefs.doc, Active Directory Delegation Best Practices
document, and the delegwiz.inf
Thanks all for help.
Yann
-----Message d'origine-----
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Mark Parris
Envoyé : mardi 19 juillet 2005 15:12
À : ActiveDir.org
Objet : Re: [ActiveDir] Delegation of privilege
Search microsoft.com for secdefs.doc
The document is....
Default access control settings in Windows Server 2003
Mark
-----Original Message-----
From: "TIROA YANN" <[EMAIL PROTECTED]>
Date: Tue, 19 Jul 2005 15:03:40
To:<ActiveDir@mail.activedir.org>
Subject: RE: [ActiveDir] Delegation of privilege
Ok, Thanks Sakari and Dan for your answers :)
I will test TWEAKUI for Windows XP.
But in fact, my need is rather giving a user server op, or equivalent
privilege, for only *one DC* and not the whole DCs of my Domain.
Last question: Where all the privileges are defined for built-in accounts ?
are they in a .ini file or whatever ?
Ex: domains admin have the right to do this action. I'd like to find where
those privileges are declared.... in an special ACL, a file, a registry ?....
Thanks for Input :)
Yann
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Dan Holme
Envoyé : mardi 19 juillet 2005 08:47 À : ActiveDir@mail.activedir.org Objet :
RE: [ActiveDir] Delegation of privilege
This may be a “rotten” answer or a perfect answer… Check out TWEAKUI for
Windows XP. It’s ACCESS CONTROL section gives you “UI” ability to change very
specific activities’ permissions, e.g. creating a share, etc. You might try it
(in a lab, first of course) as far as how it works on 2003 for the specific
things you are trying to accomplish. Because the Access Control will be server
(in your case, DC) specific, it might just work. I’ve NOT tried it… but I
think it’d be worth a shot.
Dan
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Monday, July 18, 2005 3:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegation of privilege
Hi Yann,
You could grant your user those privileges that are listed as User Rights, by
applying a corresponding Group Policy Object to only one DC. However, this is
probably not enough for you. For example, you cannot grant a privilege to
format hard drives or share folders this way.
Yours, Sakari
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, July 18, 2005 8:39 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegation of privilege
Hello AD Gurus :)
I would like to give to one of my user "server operator" privilege on only
one DC, and not the whole DCs of my AD 2003.
I know that DCs do not have sam locally, and the only way to give this
privilege is to use the Built-in Groups in the Built-in Container. But doing
this allow my user to be server op for all DCs in my domain.
The purpose of my question is;
=> to give one user the privilege to fully manage *only one* DC with
"server operator" privilege, without having the right to use MMCs such as
ADUC, Schema, dssite, replmon, repadmin commands.
Is this possible ?
Thanks for input.
Cheers,
Yann
[EMAIL PROTECTED] šŠV«r¯yÊ&ý§-Š÷Š¾4™¨¥iËb½çb®Šà
--- End Message ---