RE: Delegation of duties to junior administrator
- From: sektor <sektor@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 17 May 2006 14:46:03 -0700
Thanks Hutch. That gives me some good ideas to think about.
One thing I was trying to find out more about is, "delegation" and how it
works.
I've been unsuccessful finding helpful articles.
Does anyone by chance happen to know of a good link or how-to that explains
this in depth and how to implement it? It sounds very much like what I need.
Thanks,
"Hutch" wrote:
What we have done is the following:.
Created a Group in AD. Using the Restricted Groups GPO (be very careful
with this one..if not setup properly, you can remove the Domain Admins group
from everything), we have made this Group a member of the local Admins group,
on all PC's (Not Servers). That gives members in this group, full admin
rights to all PC's.
All Computer accounts are in a specific OU (not the default container, but
we created a separate one). Delegated permissions to the Group, to allow for
adding PC's, renaming, etc....essentially full admin rights.
With computers being separate from servers, this only allows the members to
have full access to PC's, which we are not overly concerned about. I have
made sure that all Domain Controllers, Servers, and any other essential PC,
are not in this OU, nor does the Restricted Groups GPO have access to them.
The other reason the separate Computer OU works for us, is we use RIS to
image our PC's. It automatically places the new computer account into this
OU.
However, if you want to continue using the default computer container, you
can delegate permissions on this one as well. As mentioned, I would just
make sure that anything you don't want touched by this junior admin, does not
have it's machine account in this container.
"sektor" wrote:
Hello everyone.
I was hoping to get some recommendations on how I can accomplish the
following:
I have a Junior Administrator that will be starting soon for me. I need to
figure out how to give him just enough access to perform some duties, without
giving him full blown Administrative privleges. I came from the Unix/Linux
world where I used "sudo" to give just the right permissions needed.
What is the best way to go about doing this? Here are some basic duties he
would need to do:
-join computers to the domain
-when renaming computers, he will need the admin password (because it asks
for it, just like when you join computers to the domain)
-patching computers
But I definitely do not want to give out full administrative access. I setup
a policy to not even use the admin account for anything, unless absolutely
necessary.
Anyone have some recommendations? Maybe a article or how-to to accomplish
just what im trying to?
Thanks,
- Prev by Date: Re: Removing a DC that no longer exists from AD
- Next by Date: Re: raise domain controller functional level
- Previous by thread: Re: Removing a DC that no longer exists from AD
- Next by thread: RE: Delegation of duties to junior administrator
- Index(es):
Relevant Pages
|
