Archived from groups: microsoft.public.win2000.active_directory (
More info?)
"" wrote:
> What is the easiest way to allow our helpdesk personnel to be
> able to do
> domain admin rights, but NOT be domain admins... as we just
> switched to
> active directory, and in NT they could log-on to domains,
> replace parts,
> make changes to profiles... etc...
>
> AL
delegate those permissions....
A tip for delegation (per organization this may depend, but this
should give you a hint how to do it):
* create separate admin accounts to perform admin tasks
* Define the admin roles in your organization
* Define all the admin tasks performed by those roles in your
organization
* Create an OU for the Admin roles and the admin tasks
* Do not delegate the management of the roles and the tasks to groups
or persons other than the domain admins
* Create an OU for the Admin accounts
* Do not delegate the management of the admin accounts to groups or
persons other than the domain admins
* Create separate OUan OU for the Admin roles
* Setup admin roles represented by a security groups in AD
* Setup all kinds of tasks represented by a security groups in AD
* Give the task groups the appropriate permissions in AD and on
servers through the delegation of control wizard and through GPOs
(restricted groups feature)
* Make the role groups a member of the apropriate tasks
* Make the admin accounts a member of the appropriate roles (most of
the time 1 admin account only has one role assigned)
* Protect the admin accounts OU, the admin roles and tasks OU
For delegating tasks see the following white papers. They are very
good!
http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en
--
Posted using the
http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL:
http://www.windowsforumz.com/Active-Directory-User-rights-ftopict407567.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.windowsforumz.com/eform.php?p=1352656