Delegating Administration Permissions In Windows Server 2012 April 8, 2013Posted by vbry21 in Microsoft Training, Windows 2012.
One of the courses I teach is the Microsoft Windows 2012 Installing and Configuring course, the Microsoft designation is the 20410B
In the presentation, we look at delegating administrative tasks in Active Directory in Windows Server 2012
By default, the Enterprise Admins, Domain Admins, Administrators, and Account Operators groups have permission to create computer objects in any new OU. However, as discussed earlier, we recommend that you tightly restrict membership in the first three groups, and that you do not add Administrators to the Account Operators group.
Instead, you should delegate the permission to create computer objects (called Create Computer Objects) to appropriate administrators or support personnel. This permission, which is assigned to an OU’s group, allows group members to create computer objects in that OU. For example, you might allow your desktop support team to create computer objects in the clients OU, and allow your file server administrators to create computer objects in the file servers OU.
To delegate permissions to create computer accounts, you can use the Delegate Control Wizard to choose a custom task to delegate. When you delegate permissions to manage computer accounts, you might consider granting additional permissions beyond those required to create computer accounts. For example, you might decide to allow a delegated administrator to manage the properties of existing computer accounts, to delete the computer account, or to move the computer account.
This demonstration shows you how to create delegated administrators in Windows Server 2012.
The demonstration is available at the BryanQA Youtube site