User rights

Toggle sidebar Toggle sidebar
A

Al

Distinguished
Apr 8, 2004
558
0
18,980
Archived from groups: microsoft.public.win2000.active_directory (More info?)

What is the easiest way to allow our helpdesk personnel to be able to do
domain admin rights, but NOT be domain admins... as we just switched to
active directory, and in NT they could log-on to domains, replace parts,
make changes to profiles... etc...

AL
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"" wrote:
> What is the easiest way to allow our helpdesk personnel to be
> able to do
> domain admin rights, but NOT be domain admins... as we just
> switched to
> active directory, and in NT they could log-on to domains,
> replace parts,
> make changes to profiles... etc...
>
> AL

delegate those permissions....

A tip for delegation (per organization this may depend, but this
should give you a hint how to do it):
* create separate admin accounts to perform admin tasks
* Define the admin roles in your organization
* Define all the admin tasks performed by those roles in your
organization
* Create an OU for the Admin roles and the admin tasks
* Do not delegate the management of the roles and the tasks to groups
or persons other than the domain admins
* Create an OU for the Admin accounts
* Do not delegate the management of the admin accounts to groups or
persons other than the domain admins
* Create separate OUan OU for the Admin roles
* Setup admin roles represented by a security groups in AD
* Setup all kinds of tasks represented by a security groups in AD
* Give the task groups the appropriate permissions in AD and on
servers through the delegation of control wizard and through GPOs
(restricted groups feature)
* Make the role groups a member of the apropriate tasks
* Make the admin accounts a member of the appropriate roles (most of
the time 1 admin account only has one role assigned)
* Protect the admin accounts OU, the admin roles and tasks OU

For delegating tasks see the following white papers. They are very
good!
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-User-rights-ftopict407567.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1352656
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom