Re: Need help configuring delegate authority for department administra

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Florian Frommherz <florian@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 18 May 2007 10:17:49 +0200

Howdie!

pbrill1 wrote:

I am trying to determine how to best set up administrator-like settings for a new departmental IT person - to do administrator-like tasks without having full administrator rights.

I've looked at using DELEGATE AUTHORITY to assign permissions - but it seems to provide only a subset of features that I'd want (resetting passwords, etc.)

I was hoping to allow our departmental IT person the ability to load software on client machines by creating an ID with elevated ADMIN like permissions for just the subset of computers that are assigned to this department. This question falls between AD and Group policy, so I chose this newsgroup first.

As soon as you need to have your user be able to install software on the machine, he/she needs to have full administrator rights. Only Administrators has sufficient rights for editing registry and filesystem permissions in a correct manner to install most pieces of software.

If installing software is no mission-critial task, you can enumerate other tasks that the user shall be albe to perform on the machine(s). If you have, we'll be able to help you further. I'd be also helpful if you provided your reasons why this IT person should *not* be given standard-Administrator access to the machine(s).

If you - after all the thinking and reseraching - came to see that your IT person should need standard-admin rights, you can use Restricted Groups feature of Active Directory like Dragos posted. It can help you make that person Admin on all the workstations at once:

http://www.frickelsoft.net/blog/?p=13

cheers,

Florian
--
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
.

Prev by Date: Re: Network security policy
Next by Date: Re: My Docs Redirection
Previous by thread: Re: Network security policy
Next by thread: Re: Need help configuring delegate authority for department admini
Index(es):
- Date
- Thread

Relevant Pages

Re: Rights for a DBA
... I am not an SQL guy:(but you can use utilities such as subinacl or setacl ... to change permissions on a service. ... > not give him Administrator rights to the Windows 2000 server itself. ...
(microsoft.public.windows.server.security)
Re: Who running IE with "run as"?
... DanC wrote: ... > It only workes with administrator rights. ... permissions can't just have something to do with the permissions on ... the app doesn't allow it, modify the places it insists on writing to. ...
(microsoft.public.windowsxp.security_admin)
RE: Problems caused with Migration.
... Administrator rights on each computer that you migrate. ... Before you migrate a Windows 2000-based domain to a Windows Server ... The account you use to run ADMT must have enough permissions to complete ...
(microsoft.public.windows.server.migration)
Re: Permissions to update a post.
... Yes but it only worked if the group had administrator rights like the Exchange Service Account. ... > Sue Mosher, Outlook MVP ... > be posted by anyone in a distribution list that I have given permissions. ...
(microsoft.public.outlook.program_forms)
Re: AD user question
... If the user needs to install software you need to give Admin permissions... ...
(microsoft.public.windows.server.active_directory)