Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: local admin/ domain admin

From: "Herb Martin" <HerbM () LearnQuick COm>
Date: Wed, 7 Mar 2007 10:53:56 -0600
      I want to create an administrator account on the domain for my
helpdesk persons.  I basically want them to only add machines to the
domain, and add user accounts for new employees with the option to
change their passwords.  Basically, I want do not want to give them the
administrators password.. and control what be done potentially and
accidentally...  Can some one assist and let me know how I can do that?
Or provide me the procedures.  Any guidance would be great!



There is a built in group called Account Operators that approximates
the privileges you wish to grant -- creating (etc) low level users and 
adding computers to the domain.

Make them a member of this or create a group with similar privileges.

For delegating on a more granular level you can use the "Delegation
of Control" Wizard to grant privileges JUST to an OU (or OU tree)
use AD Users/Computers and right click on the parent OU.


You can use windows admin kit and install the aduc snap in on an XP
machine that way you won't have to give away admin pwd


That's won't help by itself since the user will still need to be
given the privileges to perform the tasks.

The AdminPak.msi (System32 directory of ever DC) can be installed 
on workstations (e.g., XP) to provide the tools, but you still need 
to grant the privileges.

--
Herb Martin, MCSE MVP
512 388 7339
http://www.LearnQuick.Com
Previous By Date Next
Previous By Thread Next

Current thread: