User rights

Archived from groups: microsoft.public.win2000.active_directory (More info?)

What is the easiest way to allow our helpdesk personnel to be able to do
domain admin rights, but NOT be domain admins... as we just switched to
active directory, and in NT they could log-on to domains, replace parts,
make changes to profiles... etc...

AL
1 answer Last reply
More about user rights
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "" wrote:
    > What is the easiest way to allow our helpdesk personnel to be
    > able to do
    > domain admin rights, but NOT be domain admins... as we just
    > switched to
    > active directory, and in NT they could log-on to domains,
    > replace parts,
    > make changes to profiles... etc...
    >
    > AL

    delegate those permissions....

    A tip for delegation (per organization this may depend, but this
    should give you a hint how to do it):
    * create separate admin accounts to perform admin tasks
    * Define the admin roles in your organization
    * Define all the admin tasks performed by those roles in your
    organization
    * Create an OU for the Admin roles and the admin tasks
    * Do not delegate the management of the roles and the tasks to groups
    or persons other than the domain admins
    * Create an OU for the Admin accounts
    * Do not delegate the management of the admin accounts to groups or
    persons other than the domain admins
    * Create separate OUan OU for the Admin roles
    * Setup admin roles represented by a security groups in AD
    * Setup all kinds of tasks represented by a security groups in AD
    * Give the task groups the appropriate permissions in AD and on
    servers through the delegation of control wizard and through GPOs
    (restricted groups feature)
    * Make the role groups a member of the apropriate tasks
    * Make the admin accounts a member of the appropriate roles (most of
    the time 1 admin account only has one role assigned)
    * Protect the admin accounts OU, the admin roles and tasks OU

    For delegating tasks see the following white papers. They are very
    good!
    http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
    http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Active-Directory-User-rights-ftopict407567.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1352656
Ask a new question

Read More

Domain Microsoft Active Directory Windows