How do I use Group Policy to assign rights to individuals to do certain admin tasks without being in admin group in a single Win2k domain? This is the list:
1) create/manage users/accounts in domain
2) create/manage shares
3) stop/start certain services
4) create manage printers/queues
5) create manage groups
6) add computers to domain
7) not able to reboot/shutdown servers
8) not able to change security for themselves/admins etc
9) not able to format hard disks
Thanks in advance.
Some (but not all) of the things you mention are "User Rights" and are handled by "User Rights Assignments." Simply create a new Group Policy Object which affects the computers you want and drill down to Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment. Other functions are controlled by what group the user is a member of (ie: Power Users, Server Operators, etc.). It's going to take some time for you to handcraft the right experience for your users… there is no "magic bullet" here. But, hopefully at the end, the journey will be well worth it.
Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.