environment: Windows 2008 R2 active directory (Windows 2003 functional level domain)
DOMAIN
|
|- Computers (default OU)
|
|_ OU 01
|
|- OU 02
|
|- OU 03
|
|- OU 04
|
|- OU 05
| |-people
| |-computers
|
|- OU 06
We have employees who act as tech support for the individual departments.
We do not want to make them Domain Administrators.
(1) Is it possible to give a user rights to join and remove computers from the Windows domain for a specific OU (which corresponds to their department)?
For example, given the structure above, can a user be given permission to take a workstation that is in the standalone WORKGROUP, and join it to the domain in OU 05computers ?
(2) Conversely, can they remove the computer, and the computer account, from the domain?
In the past, this task has always been done by Domain Administrators, so I’ve never given it any thought. But we’d like to delegate it to others.
Thanks.