Re: Mapping to W2003 user rights/access?
From: Ulf B. Simon-Weidner [MVP] (nospam2-ulf_at_usw-consulting.com)
Date: 06/03/04
- Next message: Paul: "Establishing a Domain Name for NT4->W2K3 upgrade"
- Previous message: Mike: "Moving Novell DHCP to windows DHCP"
- In reply to: Athy: "Mapping to W2003 user rights/access?"
- Next in thread: Bob Qin [MSFT]: "RE: Mapping to W2003 user rights/access?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 03 Jun 2004 15:17:40 -0700
Hello Athy,
answers inline
"Athy" <anonymous@discussions.microsoft.com> wrote in message
news:17e4b01c449b3$4e20e9d0$a401280a@phx.gbl:
> Hi
> We are migrating from NT to W2003 and where in the past it
> was required to have a lot of people with domain admin
> rights, I am hoping W2003 will be a lot more accomodating
> when it comes to access/user rights.
> Basically I have a few questions:
> 1) Can members of the default account operators now manage
> privileged accounts?
Depends on which privileged accounts and how the rights on them are
configured (see very below)
> 2) What access is needed to manage DNS, replication,
> clustering, etc? Hopefully not domain admin...
AFAIK you can delegate Replication, you can delegate DNS for sure, and
I believe Clustering should need maximum Adminrights on the Cluster.
> 3) Can server operators be used if servers are not kept in
> the default OU's? If not, how can I work around that?
Yes - it's a group which has special local rights on the server,
nothing special at the OU level.
> 4) What access can be used for accounts used to do
> security patch level scanning?
Depends on the tool, I believe maximum would be local Admin on the
client you want to scan.
> 5) Would Exchange 2003 admins require any special rights
> apart from within Exchange itself?
> 6) Is there a granular delegation setting or something
> similar to be able to view GPO settings but not change
> them?
>
Yes - per default authenticated users have read and apply rights on the
GPOs.
> Thanks!
Within Active Directory, and especially Active Directory Objects and
Attributes (such as Users and their specific properties) you can do a
lot of delegation. I wouldn't even use Account Operators, I usually
create special groups which are delegated just the rights they need to
perform their job. Account Operators would be able to do everything to
users, computers and groups in every OU - however usually you want the
users to be created and administered in special OUs, Computers in
another and groups in another as well. And you might not want to give
certain people full access on users, but just enable them to change
certain properties.
Hope this helps you - just get into it and experience the delegation
possibilities - it's worth it!
-- Gruesse - Sincerely, Ulf B. Simon-Weidner
- Next message: Paul: "Establishing a Domain Name for NT4->W2K3 upgrade"
- Previous message: Mike: "Moving Novell DHCP to windows DHCP"
- In reply to: Athy: "Mapping to W2003 user rights/access?"
- Next in thread: Bob Qin [MSFT]: "RE: Mapping to W2003 user rights/access?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
