|
Posted by Steven L Umbach on July 11, 2005, 12:25 pm
If you were Registered and logged in, you could reply and use other advanced thread options
You need to be more specific in what you need the users to do with AD for
the 2 users. Full access may not be possible without making the users domain
administrators. Otherwise you can use delegation and/or privileged group
membership to accomplish much of what you want. For instance users of
backup operators group for the domain in Active Directory Users and
Computers can backup and restore domain controllers. There are also separate
user rights for backup and restore in Domain Controller Security Policy.
The backup/restore could also be granted for all domain computers if that is
your goal.
Members of account operators in ADUC can create user accounts and groups for
the domain or you can delegate authority to create users/computer accounts
and reset passwords for all but privileged group members. In other words a
user delegated that power could never reset a domain administrators
password. When you delegate for the domain/OU you can use standard or create
special permissions. The links below may help as examples of delegation
which is done via modifying AD object permissions with or without the wizard
which you can access by right clicking the domain or OU container and select
delegate control. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;221577
http://support.microsoft.com/default.aspx?scid=kb;en-us;315676
http://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/ou_delegate_admin_authority_secgroups.asphttp://www.microsoft.com/windows2000/techinfo/reskit/deploymentscenarios/scenarios/ou_delegate_admin_authority_secgroups.asp
> OK, I've looked around a quite a bit and haven't found any solid answers
> for
> setting up security on administrator level accounts.
>
> Here is the scenario...
>
> We have 5 people who need to do different tasks on our Windows 2000 Domain
>
> All 5 need to be able to add accounts, reset passwords, join machines to
> domain.
> 3 need access to backups
> 2 need access to Exchange and AD - basically full access.
>
> We would also like to audit these accounts so we can see who did what and
> when.
>
> These accounts will be used for admin type things only, all users have
> their
> normal accounts for daily activities.
>
> Can someone offer some suggestions or point me to a good resource?
>
> Thanks,
> Erl
>
| 
XML site map