So, what do you do when you have staff that need to do certain administrative tasks in the AD but you don't really want to trust them with every permission going?
Until recently, our support desk personnel had 'Domain Admin' rights in our AD so they could add and remove user accounts, and were trusted not to do any harm - obviously not the best situation, you should after all trust someone to do something, not trust them not to do something.
There are two solutions to this - you can either use the built in 'Account Operators' group which has certain rights delegated to it, including that of manipulating user and group objects in the AD, but in some cases this group has too many rights as it allows the user to shut the system down for some inexplicable reason.
The better way is to create your own account administration group and delegate a specific subset of rights to it. The following article discusses this in detail:
WindowSecurity.com: Built-in Groups vs Delegation
WindowSecurity.com: Implementing Active Directory Delegation of Administration
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment