Re: Administrators Group in Local Users and Groups

Account Operators by default can logon to the DCs, can manage/create/delete
users/groups/computers all over the place.
As Joe said, using the Account Operators group is doing your work like you
in the NT4 domain days. We now have the AD days and the ability to delegate
tasks to different people. That was not introduced for nothing, use it!

Some (high level) tips on setting up delegation:
* create separate admin accounts to perform admin tasks, use normal accounts
for mail and internet, etc
* Define the admin roles in your organization
* Define all the admin tasks performed by those roles in your organization
* Create an OU for the Admin roles and the admin tasks
* Do not delegate the management of the roles and the tasks to groups or
persons other than the domain admins
* Create an OU for the Admin accounts
* Do not delegate the management of the admin accounts to groups or persons
other than the domain admins
* Create separate an OU for the Admin roles
* Setup admin roles represented by security groups in AD
* Setup all kinds of tasks represented by security groups in AD
* Give the task groups the appropriate permissions in AD and on servers
through the delegation of control wizard and through GPOs (restricted groups
feature)
* Make the role groups a member of the apropriate tasks
* Make the admin accounts a member of the appropriate roles (most of the
time 1 admin account only has one role assigned and when needed several
tasks)
* Protect the admin accounts OU, the admin roles and tasks OU

For delegating tasks see the following white papers. They are very good!
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Spin" <Spin@xxxxxxxx> wrote in message
news:41t6p5F1gaa6oU1@xxxxxxxxxxxxxxxxx
> Hi Joe,
>
> I do not see a problem with adding junior admins to the Account Operators
> group. That gives them good privileges to the domain without giving them
> domain admin rights. I feel safe doing this. Why do you feel it is not
> safe?
>
> --
> Spin
>
> "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
> news:uO5Ox5LDGHA.2988@xxxxxxxxxxxxxxxxxxxxxxx
>> 1. You can't have a group automatically added upon join. You can get them
>> added via a group policy though, look at restricted groups.
>>
>> 2. You can't add builtin groups from the domain to domain member's
>> builtin groups. Builtin groups have a well known sid, in the case of acc
>> ops it is S-1-5-32-548. That group will not work outside of domain
>> controllers. If you applied it to an admin group, it would give a
>> resolution error. However think of if it did work, that SID has no domain
>> affinity (i.e. no domain component of the SID) so ANY account operator of
>> ANY domain would then have admin rights to your workstations. That is why
>> it doesn't work at all.
>>
>> Finally, don't use account ops. It is a bad group to use for a multitude
>> of reasons. Consider it useful only during migration from NT4. Once you
>> have all 2K or better DCs, stop using it.
>>
>> joe
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> www.joeware.net
>>
>>
>> Mark Morrell wrote:
>>> Hi!
>>> I am trying to find out how to add in the domain group Account Operators
>>> to
>>> each workstations administrator group (without going to each computer).
>>>
>>> Domain Admins is added into each computer when it joins the domain.
>>> I want Account Operators to do the same.
>>>
>>> Running Server 2000 and 2003 native
>>> With Workstations 2000 and XP
>>> All updates as of yesterday.
>>>
>>> Thanks
>>> Mark
>>>
>


.

Relevant Pages

  • Re: Administrators Group in Local Users and Groups
    ... I WAS thinking NT4 days with Account operators. ... > * create separate admin accounts to perform admin tasks ... > * Create an OU for the Admin roles and the admin tasks ...
    (microsoft.public.windows.server.active_directory)
  • Re: User Account
    ... >> I have a user account that was originally part of the Account ... > The best best is to delegate permissions and not use the default admin ... > * Create an OU for the Admin roles and the admin tasks ...
    (microsoft.public.win2000.active_directory)
  • Re: Incoming E-Mail - cant create contact in OU
    ... central admin pool different than the web app. ... that account a little (if the web app is compromised or something, ... So I started with giving the app pool account domain admins permissions then ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Security Breach in AD! Help!
    ... > about 5 minutes the user was removed from the built in admin group. ... > changed the default domain policy, the default domain controller policy, ... >> auditing of account logon for success and failure and account management ... >> success and failure in Domain Controller Security Policy. ...
    (microsoft.public.win2000.security)
  • Re: cant verify disk
    ... She went to DU, and when she pressed "verify disk", it asked her user ... Disk Utility has required an administrator name and password for certain ... This is clearly a task which requires admin privileges, ... seriously mucked up with her user account settings in the NetInfo ...
    (comp.sys.mac.system)