Re: prevent accidental AD objects deletion
From: Phillip Renouf (PhillipRenouf_at_discussions.microsoft.com)
Date: 10/06/04
- Next message: Phillip Renouf: "Re: automating the addition of hundreds of users"
- Previous message: CWstar: "account lockout loop"
- In reply to: Joe Richards [MVP]: "Re: prevent accidental AD objects deletion"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 6 Oct 2004 10:45:05 -0700
If the Admin actually does need to have that level of access then you might
want to look at admin tools from NetIQ or Quest as both have the ability to
use a sort of Recycle Bin before permanently deleting the object(s). This can
save you a lot of hassles.
Phil
"Joe Richards [MVP]" wrote:
> 1. Make sure admins have two IDs, a normal ID and an Admin ID. That way they can
> browse AD without hurting it.
>
> 2. Only give them rights that they need for daily work and can handle.
>
> 3. Script all common tasks so that GUIs are not used to do the work and that
> business rules and checks/balances are enforced. The ultimate is to proxy the
> work through a website or some other mechanism so people don't need the native
> or delegated rights directly.
>
>
> It sounds like an issue with #2. I would tend to guess that whomever is likely
> to do that has too much in terms of permissions in the directory.
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> PP wrote:
> > hi pple,
> >
> > is there any way to prevent domain admin from
> > accidentally deleting AD objects? ie OUs
> >
> > what sort of restriction should be imposed that will not
> > hamper daily administrative duties?
>
- Next message: Phillip Renouf: "Re: automating the addition of hundreds of users"
- Previous message: CWstar: "account lockout loop"
- In reply to: Joe Richards [MVP]: "Re: prevent accidental AD objects deletion"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
