AD security for junior sysadmin

From: Marlon Brown (marlon_brown@hotmail.com)
Date: 11/01/02 

From: "Marlon Brown" <marlon_brown@hotmail.com>
Date: Fri, 1 Nov 2002 07:03:18 -0800

I want to allow a certain admin in my company to:
- Create, delete, rename users in most OU's in AD, change smtp Exchange
alias, create/delete Computer account
- Connect to most file & print servers and application servers in the domain
and be administrator in most computers in the domain.
- He SHOULD NOT be able to change any Group Policies. I blocked him from
doing that by "hidden" the Group Policy tab for his account- OK

Obstacle:
- All folders in all F&P servers have NTFS permissions full controlled by
"Domain Admins" group only.
Local\Administrator has no rights at all to hundreds of folders in my F&P
servers.

What I did:
I gave Domain Admins to this guy because first of all he needs to manage the
folders spread accross dozens of F&P servers.
However, I am having trouble as he shouldn't be able to create OU's in my AD
structure or be able to manage CertainSpecialGroups&Users OU and its
objects.

What would be the best to avoid this Domain Admin making changes to a
CertainSpecialGroups OU and its objects ?
If I grant Domain Admins with "read" permission to that OU, he can't delete
it - good.
However, I also want to block him to add/removing people from any special
group under that OU.

Basically, I could let my Enterprise Admins with full control and Domain
Admins with limited access. Not sure on best way to accomplish that though.

P.S.: Also posted in .win2000.active_directory

Relevant Pages

  • Re: Security permissions bug or inheritant permissions??
    ... We had four domain admins for the 8 domains in our forest. ... four guys who were Enterprise Admins. ... management and security folks don't fool themselves with a perception of false ... that doesn't mean that everyone should be domain> "gods" - they should heirarchal structure that enforces layered security> levels - even among domain admins. ...
    (microsoft.public.win2000.active_directory)
  • RE: software to control domain administrators
    ... Trustworthy Admins already do this with the explicit knowledge that they ... reverse that auditing, which the auditing mechanism should reflect ... Honestly, if you are looking for something to audit domain admins, then ... Si ha recibido este mensaje por error, ...
    (Security-Basics)
  • Re: Administrator
    ... Well as far as the SQL DBA point I brought up, part of the reason for that is ... that there is no global SQL Admins domain group anyway but that wasn't done ... because of Sharepoint especially since SQL Server existed before Sharepoint ... > me a choice which I can choose to include domain admins as ...
    (microsoft.public.sharepoint.portalserver)
  • Re: Enable non-admin users to access member servers or client PC
    ... the client machines they probably will require to be local admins (Not ... In order to modify server folder permissions the group needs to be ... groups like Domain Admins, Administrators, etc. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Logon difference in Workgroup and domain
    ... two admins create users with same name and password on their PC, ... Local administrator VS domain administrator ... Domain Admins since they are part of the Administrator ... But on the local machine, one machine at a time, the power is the same. ...
    (microsoft.public.windows.server.active_directory)