Can’t we all just get along? Part I

Scenario 1: Delegating Setup (Installation and Activation)

Mark and I run into this problem in HiED often. We want to deploy but we are completely decentralized. Each department runs their own gear. We may have a central AD infrastructure but this model has been built for delegation. Each school/Dept is in charge of their own servers.


This being said "How do I deploy OCS when I know I won't manage servers X, Y, and Z. The first area to tackle is with Installation and Delegation. What if you aren't a Domain Admin. The Central IT team can delegate the responsibility for you to deploy and activate OCS via the deployment wizard or via command line. With this tool the users don't get elevated to domain admin and they get the subset of users necessary for OCS Setup and deployment.

The user must have the following:


1. Delegated Permission for Installation

2. Local Admin on server to be installed

3. Local Admin to BE SQL Server for Ent Installations.



To delegate setup tasks

Start setup and do your typical deployment whether standard or enterprise. When you get to the Delegation Setup and Admin Page Select the Delegate Setup Tasks and click Run. This will provide you options to select the "trustee domain". This is the domain that contains the group to which you want to delegate permissions. Enter the name of the group you want to delegate permissions to (this group must be universal or global). You also need to define the location of the computer objects where the OCS Server will be deployed, the distinguished name of the OU or container holding that computer.


One step often missed is to make sure you add the trustee group to the local admin group where you want to install OCS and the in the Local Admin for any BE SQL database servers.

Also in the case that authenticated users permissions have been removed, you must add this new group for setup task to RTCUniversalServerAdmins or manually grant Read permissions to the following containers in the forest root:

· Forest root domain

· Forest root domain System container

· Root of the domain where permissions is delegated

· Parent containers of computer objects and service account objects


When complete you can user whoami.exe /all and the output should be like this:


Everyone Well-known group S-1-1-0

BUILTIN\Administrators Alias S-1-5-32-544 BUILTIN\Users Alias S-1-5-32-545 NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4

NT AUTHORITY\Authenticated Users Well-known group S-1-5-11

NT AUTHORITY\This Organization Well-known group S-1-5-15

LOCAL Well-known group S-1-2-0

FABRIKAM\RTCUniversalUserReadOnlyGroup Group S-1-5-21-4264192570-

FABRIKAM\RTCUniversalGlobalWriteGroup Group S-1-5-21-4264192570-

FABRIKAM\RTCUniversalGlobalReadOnlyGroup S-1-5-21-4264192570-

FABRIKAM\RTCUniversalServerReadOnlyGroup S-1-5-21-4264192570-

FABRIKAM\delegatedLSSetup Group S-1-5-21-4264192570-

FABRIKAM\RTCUniversalServerAdmins Group S-1-5-21-4264192570-

FABRIKAM\CERTSVC_DCOM_ACCESS Alias S-1-5-21-4264192570-


You can also use LCSCMD to setup trustee groups and permissions for installation/activation. Next time we'll talk about Server and User Admins.

Comments (0)

Skip to main content