Archived from groups: microsoft.public.win2000.active_directory (More info?)
Windows 2003 Single Domain
I am currently delegating authority for our Computer Operations team. If I
explain what I have done so far, hopefully someone can fill in the pieces..
I have created a global group called Comp_Ops, I have then ran a script
which has added this global group to every Member Servers local
Administrators group.
I have also delegated Create/Write/Read permissions on Account, Computer,
Group, User, Shared Folder and Printer Objects on an OU within the domain.
At the moment, it meets our requirements for member servers and also when
they are on cover, they can modify group memberships, reset passwords etc.
The next bit is that we still have a number of DC's which act as File &
Print Servers, which we will eventually demote but for the time being, they
need access to so I was thinking about adding them to the Builtin Server
Operators group to provide them access so they can check event logs etc.
The question I have is concerning the AdminsSDHolder process...from my
understanding it's a process which runs every 1hr and resets the ACL's on the
User Objects belonging to the builtin groups
Does this mean that my plan to add them to the Builtin Server Operators
group would reset the work that I have already done?
If not, what else can I do? I don't want them to have Domain Admin
privileges. It's not my preferred option to let them logon to the DC's at all
but management wants them to have access to these DC F&PS until they are
demoted but this could be longer than 6 months because of the politics going
on.
Any assistance would be great.
Windows 2003 Single Domain
I am currently delegating authority for our Computer Operations team. If I
explain what I have done so far, hopefully someone can fill in the pieces..
I have created a global group called Comp_Ops, I have then ran a script
which has added this global group to every Member Servers local
Administrators group.
I have also delegated Create/Write/Read permissions on Account, Computer,
Group, User, Shared Folder and Printer Objects on an OU within the domain.
At the moment, it meets our requirements for member servers and also when
they are on cover, they can modify group memberships, reset passwords etc.
The next bit is that we still have a number of DC's which act as File &
Print Servers, which we will eventually demote but for the time being, they
need access to so I was thinking about adding them to the Builtin Server
Operators group to provide them access so they can check event logs etc.
The question I have is concerning the AdminsSDHolder process...from my
understanding it's a process which runs every 1hr and resets the ACL's on the
User Objects belonging to the builtin groups
Does this mean that my plan to add them to the Builtin Server Operators
group would reset the work that I have already done?
If not, what else can I do? I don't want them to have Domain Admin
privileges. It's not my preferred option to let them logon to the DC's at all
but management wants them to have access to these DC F&PS until they are
demoted but this could be longer than 6 months because of the politics going
on.
Any assistance would be great.
Facebook
Twitter
Instagram