Re: Domain Admin rights
- From: "Kerry Brown" <kerry@xxxxxxxxxxxxxxxxxxx*a*m>
- Date: Wed, 7 Jun 2006 06:48:48 -0700
steve wrote:
Currently whenever I need to perform modifications on my servers
(e.g. add user account, search for files, set permissions etc.) I log
in locally or via RDP using the domain admin account and then log out
when finished. No other user account belongs to the domain admins
group. As it is only me and another user that who will ever be
performing these kind of actions, is it OK to continue to use this
setup or should I grant us both domain admin rights so we can make
these changes from our console? It is a relatively small domain (~100
users) with a small number of servers running windows 2003.
Basically my question is "should standard user accounts ever be added
to the domain admins group"?
I'd love to hear of alternative setups etc.
No, you shouldn't add your normal user account to domain admins. You can
however install the adminpak on your local machine. Then you can logon as a
domain admin and run the administration consoles on your local machine then
logoff when finished. You can also setup a manager account and use the
delegate control wizard to allow that account to do specific things like add
users etc.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx
--
Kerry
MS-MVP Windows - Shell/User
.
- References:
- Domain Admin rights
- From: steve
- Domain Admin rights
- Prev by Date: Re: Licensing Mode
- Next by Date: Re: Best Practice to keep Public & Private IP Address
- Previous by thread: Domain Admin rights
- Next by thread: Re: Best Practice to keep Public & Private IP Address
- Index(es):
Relevant Pages
|
Loading
