Re: Active Directory Permissions

Tech-Archive recommends: Fix windows errors by optimizing your registry

"Wirelondon" <Wirelondon@xxxxxxxxx> wrote in message
news:1155015181.887393.214010@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have been asked by manager to setup access for the Helpdesk Team to
access the Active Directory.

I need some advice, as I asked what access should I give the Helpdesk
team he replied "give them same access as you" But I don't want
them having full control.

Our helpdesk team is 3 people who look after all 1st line & 2nd line
support issues.

Has anyone else been asked to grant people access, but not wanting to
give them full control?

Read the other responses which are correct (Florian, Joe, Paul).

It might help you to know the following:

Active Directory and with it Win2000/2003 server contain numerous
features designed specifically to allow for the appropriate delegation
of control to those who need additional authority.

This control cannot only be delegated incrementally, it can be delegated
over subsets of the domain, usually at the OU level (but technically all
the way down to a single property on a single user.)

So, yes, many people have faced this issue and Microsoft designed
the new systems to meet these requirements.

Take a look at AD Users and Computers, right click on an OU and
notice that there is a "Delegation of Control" wizard that lets you
easily delegate the most common tasks requiring delegation.

More sophisticated delegations can be performed through the actual
PERMISSIONS on each AD object (if you understand NTFS permission
then you can loosely think of OUs like directories and users/computers
like files -- although most admins don't really understand NTFS
thoroughly) or you can delegate some things like control over services
conveniently in Group Policy.

Microsoft has already provided examples of service delegation in
Win2003 by creating groups called "DHCP Users" and "WINS
Users" that have read only access to the DHCP and WINS console
and data. ("User" is a slight misnomer because this is not about
ordinary users.)

These two groups are typically use specifically to give the Help
Desk the ability to FIND a DHCP or WINS problem when helping
a user but require them to call a "real admin" to make any changes
if and only if changes are necessary.

Joe gave you some pointers to white papers and the above may
give you the basic philosophy of Win2000+ and AD.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Many thanks

Phil



.

Relevant Pages

  • Re: granting access to dns, dhcp, wins
    ... to have like DNS & DHCP. ... >> I am working on delegation of control over different ... >> I've used the delegation of control wizard and individual ...
    (microsoft.public.win2000.active_directory)
  • Re: granting access to dns, dhcp, wins
    ... to have like DNS & DHCP. ... >> I am working on delegation of control over different ... >> I've used the delegation of control wizard and individual ...
    (microsoft.public.win2000.setup)
  • Re: User Access Denied With DHCP Admin. Group?
    ... There are two main ways of delegating control in Active Directory - using ... permissions on the object or parent object. ... through the Delegation of Control Wizard or the Sites and Services advanced ...
    (microsoft.public.windows.server.active_directory)
  • Re: join domain/create computer accounts... driving me NUTS!
    ... i added the following text to template6 and it doesnt even show up ... when i go to delegate control at the domain level!!!! ... "Account Restrictions" ... have you ever read the delegation of control white ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation of rights
    ... > side the OU you have delegated the control to, ... Delegate only the required rights, in this case may not full ... May only to child objects within the OU and so on. ... >>> May the Step-by-Step Guide to Using the Delegation of Control Wizard can ...
    (microsoft.public.win2000.active_directory)