Hello,

I work for a large company with several remote administrators. These
administrators need to be able to add/modify/delete accounts and
computers. They are not allowed to be Domain Administrators.

We did that through permissions on OUs and granting them rights to
local computer systems.

Is it possible to grant them rights to work on domain controllers
(install patches) without making them domain admins?

Thanks.

No that is not possible and can not be delegated using AD permissions. By
their nature domain controllers contain very sensitive information including
a writeable copy of Active directory and need to be managed by a trusted
domain level administrator. It is possible to dcpromo a domain controller
remotely if need be or manage it via Terminal Services remote
administration.

Steve


<chip33az@netscape.net> wrote in message
news:1157580298.551149.166730@m79g2000cwm.googlegroups.com...
> Hello,
>
> I work for a large company with several remote administrators. These
> administrators need to be able to add/modify/delete accounts and
> computers. They are not allowed to be Domain Administrators.
>
> We did that through permissions on OUs and granting them rights to
> local computer systems.
>
> Is it possible to grant them rights to work on domain controllers
> (install patches) without making them domain admins?
>
> Thanks.
>