Security Basics mailing list archives
RE: local admin/ domain admin
From: "Herb Martin" <HerbM () LearnQuick COm>
Date: Wed, 7 Mar 2007 10:53:56 -0600
I want to create an administrator account on the domain for my helpdesk persons. I basically want them to only add machines to the domain, and add user accounts for new employees with the option to change their passwords. Basically, I want do not want to give them the administrators password.. and control what be done potentially and accidentally... Can some one assist and let me know how I can do that? Or provide me the procedures. Any guidance would be great!
There is a built in group called Account Operators that approximates the privileges you wish to grant -- creating (etc) low level users and adding computers to the domain. Make them a member of this or create a group with similar privileges. For delegating on a more granular level you can use the "Delegation of Control" Wizard to grant privileges JUST to an OU (or OU tree) use AD Users/Computers and right click on the parent OU.
You can use windows admin kit and install the aduc snap in on an XP machine that way you won't have to give away admin pwd
That's won't help by itself since the user will still need to be given the privileges to perform the tasks. The AdminPak.msi (System32 directory of ever DC) can be installed on workstations (e.g., XP) to provide the tools, but you still need to grant the privileges. -- Herb Martin, MCSE MVP 512 388 7339 http://www.LearnQuick.Com
Current thread:
- local admin/ domain admin Sohail Sarwar (Mar 06)
- RE: local admin/ domain admin Quigley, Joe (Mar 07)
- RE: local admin/ domain admin Smith, Ryan (Mar 07)
- RE: local admin/ domain admin Scott Ramsdell (Mar 07)
- Re: local admin/ domain admin shaheedpak (Mar 07)
- RE: local admin/ domain admin Herb Martin (Mar 07)