Re: Admin Roles

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"tkutil" <tkutil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:DD1957B9-D5E9-4CE3-A2F7-EB59AD206D0E@xxxxxxxxxxxxxxxx
I would like to limit admin rights in AD so that low level admins only have
rights to do certain tasks. For one, I would like to have an admin account
that only has rights to add computers to AD and am wondering how other people
are accomplishing dividing up tasks within AD.


The best thing to do is create two user accounts for your administrators. One account is a plain-vanilla, Domain User account they normally logon with, email, etc. The other account is an account that you will delegate or add to a group that has been delegated certain rights in iether an OU or across the domain. When they need to administer tasks, join machines, etc, they will use this account, whether directly logging on or with the RunAs feature.

I hope the following links are helpful with further explaining delegation.

Download details: Best Practices for Delegating Active Directory ...Nov 25, 2003 ... Delegation of administration, a key capability of Active Directory, provides a means to successfully manage an Active Directory environment. ...
http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3

Implementing Active Directory Delegation of AdministrationSep 13, 2006 ... In this article I will go into the details you need to know on how to implement delegation of administration, as well as some design ideas ...
http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

.

Relevant Pages

  • Re: ADAM Synchronizer Beta - question
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... >> Right is not granted to the account that is used to connect to AD. ... >> Dmitri Gavrilov ... >> SDE, Active Directory Core ...
    (microsoft.public.windows.server.active_directory)
  • Re: Avoiding password history setting
    ... I am spending most of my time right now putting the final touches on O'Reilly's Active Directory 3rd Edition. ... They should have a setting to specify history in the product itself, you shouldn't need to use the domain policy for that to be enforced. ... Further, I know their product works with a delegated account, I wouldn't let them use anything else and they had to correct the product to work. ... As for delegation, there is nothing that walks through every single possible thing you can click on as it is extensiable. ...
    (microsoft.public.windows.server.active_directory)
  • Re: delegating control over ou
    ... i didn't know which rights are responsible for ... locking an account was my mistake - of course it is ... not usefull to lock user account! ... >This is provided in the delegation wizard. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Kerberos ( Web Service)
    ... I know I'm supposed to create an SPN for a domain account and run the ... The only account that needs the rights to delegate is the service process ... The target of the delegation doesn't need ...
    (microsoft.public.platformsdk.security)
  • Re: domain local group
    ... But I'm curious, as far as adding a user to a domain local group, which is one of the best practice methods to administer group nesting, what is your intentions? ... Here is some additional information on delegation, but Meinolf and Florian already provided you on the default ability of a user account to add computers. ... Best Practices for Delegating Active Directory ...Nov 25, ...
    (microsoft.public.windows.server.active_directory)