Re: Administrator levels

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: "Herb Martin" <news@xxxxxxxxxxxxxx>
Date: Thu, 24 Aug 2006 12:21:23 -0500

"David Sayers" <DavidSayers@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E3E5D66C-41E8-440B-9D83-B398BE3D50FA@xxxxxxxxxxxxxxxx

We currently run a single domain Windows 2000/2003, Windows 2000 native
domain. I am having a hard time finding documentation for something that I
would like to accomplish. Currently, all the techs are set up as domain
admins, which we all know is a bad idea. I would like to set up "levels"
of
admins, based on their job function, and I am looking for some guidance. I
found some information on planning, but nothing on how to actually
implement
it. Thanks in advance.

Make groups for each level and include the appropriate members.

Try the "Delegation of Authority" wizard FIRST to see if what
you want is one of the standard options. (Right click on an object
like an OU to delegate control to say "DeptAdmins".)

If this doesn't do what you want, you can always use the direct
permissions on an object (like an OU) to delegate other things.

There are also some delegation of SERVICE stuff in a GPO under
Computer->Windows Settings->Security->Services -- e.g., you
can make someone a "Reader" of a service or even give full
control WITHOUT making them a domain or even server admin.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

.

Prev by Date: Re: Automatic update - GPO not working
Next by Date: Re: ADUC Question
Previous by thread: Domain Controller Restart Deletes Member Server Comp Account in AD
Next by thread: Re: Administrator levels
Index(es):
- Date
- Thread

Relevant Pages

Re: What is easier: to delegate or to use ACLs?
... which consists of Domain Admin with full rights everywhere. ... type of delegation, "delegation up";-) ... I hope helpdesk wasn't those 3 admins. ... > Overall the environment was one of the smoothest running AD environments I ...
(microsoft.public.windows.server.active_directory)
Re: Forest = Security Boundary?
... > By "delegation" through child domains I mean, in a decentralized enviroment, ... > to natively delegate administrative tasks such as add/remove DCs, ... Again the only "safe" model is one very small set of admins for all domains in the forest. ... well if you have a multidomain environment it is highly likely you will not be ok here unless all Exchange enabled objects are in one single domain or you specifically design your enviroment such that no cross-domain management would ever need to be done through outlook and that you are prepared to segregate the Exchange environments as necessary to make it function properly. ...
(microsoft.public.windows.server.active_directory)
Re: What is easier: to delegate or to use ACLs?
... The domain admins were DA's of every domain and also Enterprise Admins. ... Our delegation model worked very well. ... Overall the environment was one of the smoothest running AD environments I have ...
(microsoft.public.windows.server.active_directory)
Re: Delegation Of Control
... I suggest you look for a proxy delegation tool or build a specific group management tool that allows you to set rules like that. ... Our internal IT users reside in the IT OU which are our domain admins, ... I have delegated most of these taks onto the India OU for the India IT ...
(microsoft.public.windows.server.active_directory)
RE: Group Policy, and AD Integrated Zone delegation rights question.
... AD-integrated DNS zone are stored in the AD under ... to ensure they don't get too many rights. ... required are (both Domain Admins and DNS Admins seem to have full control), ... > custom delegation, so we need to know, what Domain Level Delegation is ...
(microsoft.public.windows.server.active_directory)