Resticting Members of BuiltinAdministrator to just be able to create Domain Trust
Administration, Biometrics, Compliance, CRM, Development, Digital certificates, Disaster Recovery, Identity & Access Management, Installation, Management, Policies, provisioning, Risk management, Security, Security management, Security Program Management, Security tokens, Single sign-on
In windows 2000/2003, Can we restrict a BuiltinAdministrators member to have just enough rights so that he/she can only create/delete domain Trust.
The requirement that we have is to be programmatically create trust with all the domains in a given forest. The other part of the requirement is to maintain the created trusts (i.e. recreate the trust if it is broken for some reason) and to keep creating trusts for domains that are newly add in the forest. For this task our understanding is that we will need an Enterprise Admin but some of our customers may not be comfortable giving us the Enterprise Admin credentials so we want to create a user who is only able to create Trusts but nothing else. During our reserach we have come to a conclusion that we can not create trusts with a domain unless the used creantials belong to the member of the buitlinAdministrator group in the domain. hence the requirement to cripple a member of Administrators group so that it can only create trusts.
Software/Hardware used:
Software/Hardware used:
ASKED:
May 10, 2005 7:09 PM
UPDATED:
May 11, 2005 12:07 AM
Answer Wiki:
Do better research. When doing better research be sure to check-out the "Incoming Forest Trust Builders" builtin group which should solve your problem.
To see all answers submitted to the Answer Wiki: View Answer History.
RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
