Re: AD permissions
From: Ulf B. Simon-Weidner [MVP] (nospam2-ulf_at_usw-consulting.com)
Date: 10/07/04
- Next message: Phillip Renouf: "Re: separate active directory"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: ADAM Distribution List?"
- In reply to: Steve: "AD permissions"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 07 Oct 2004 11:25:02 -0700
"Steve" <anonymous@discussions.microsoft.com> wrote in message
news:186601c4ac7a$980ca690$a401280a@phx.gbl:
> Hello,
>
> In my windows 2003 server Active Directory domain I
> have several employees who are "domain admins" They are
> domain admins so they can add computers to domains etc.
> These domain admins have the microsoft mangagment console
> to mangage active directory on there computer. I have no
> problem with then being able to connect, vew, or reset
> passwords, I just do NOT want them to be able to create
> or delete OU's, delete user accounts, or have any access
> to make or create changes in group policy. Basically just
> want them to be ablet to reset passwords etc. What are my
> best options? I have looked into delegation of control
> but it doesnt do me any good if the user is already a
> domain admin does it? Help please.
>
Hello Steve,
As Mark stated you don't need them or want them to be domain
administrators.
I once had a customer where they had a lot of domain admins and account
operators. We figured out what they need to do, and it was mainly
account management. They wanted all to become account operators,
however a account operator has the right to do about everything with
users, groups and computers. If I create a OU-Design I usually have
specific Ous which are for users, and others which hold group or
computer objects. The OU design is based on administation needs and on
group policy objects. So I don't want anyone creating a computer in an
OU where users are supposed to be, or vice versa.
So I delegated them the rights they needed on the approbiate Ous, this
helped them not to make any mistakes.
You can delegate almost every task in Active Directory, there's really
no need for them to be domain administrator.
Here are a few articles on delegation:
Best Practices for Delegating Active Directory Administration
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3
Look also at the appendix of that guide which is linked on that page.
296999 Minimum Permissions Are Needed for a Delegated Administrator to
Force Password Change at Next Logon Procedure
http://support.microsoft.com/?id=296999
279723 How to Grant Help Desk Personnel the Specific Right to Unlock
Locked User Accounts
http://support.microsoft.com/?id=279723
-- Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner WebSite: http://www.windowsserverfaq.org
- Next message: Phillip Renouf: "Re: separate active directory"
- Previous message: Joe Kaplan \(MVP - ADSI\): "Re: ADAM Distribution List?"
- In reply to: Steve: "AD permissions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
