On 10/29/21 16:55, Rowland Penny via samba wrote:> On Fri, 2021-10-29 at 16:34 -0500, Patrick Goetz via samba wrote:
>> I would like to have a user with limited domain admin capabilities;
>> namely the ability to add new users and add users to groups, with
>> the
>> ideal being to also able to help users reset their password and
>> create/delete groups. But this user would not be able to create
>> OU's,
>> edit Group Policy, or do anything else other than work with users
>> and
>> groups. Is such a thing even possible?
>
> Are we talking about doing this on Linux ? if so you could create a
> group and then give this group the privileges required. Run (as root):
> net rpc rights list privileges -Uadministrator
>
> For a complete list of the available privileges.
>
No, I was hoping to endow the digital archivist, who is onsite and deals
with minor desktop issues, with the ability to use the RSAT Users and
Computers tool to add users, but this isn't terribly critical.
For the sake of understanding, `net rpc rights list privileges
-Uadministrator` lists the user's privileges, but am I able to afford
these privileges individually to other domain users; e.g. could I give a
user the SeAddUsersPrivilege privilege?
>>
>> A related and much easier (let's call it dumb, should have RTFMed)
>> quesetion, is what's involved in making other users full domain
>> admins?
>
> You gave the answer yourself, add the user to the Domain Admins group
> (or Administrators)
>
> Rowland
>
>
>