Re: Delegate Authority
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Thu, 15 Dec 2005 12:11:35 -0500
Domain Admins is protected from delegatation with the adminsdholder functionality, you can move that group into any OU you want and the delegation in that OU will not allow someone to modify the group. However, it is best practice to not delegate the OU holding high level IDs and groups to admins with lesser rights.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net
Les Arrowman wrote:
I brought up the great idea of removing the help desk folks from the Domain Admins group. I want to delegate certain roles to the HD folks by putting them in group named 'SupportAdmins' or something similar.
If I give this group add/remove group memberships for an OU, say 'Organization' which then has all the subOU's for the various departments. I do NOT want the group inside the Organization OU as then have the ability to kick eachother out of the group or attempt to add the SupportAdmins groups to the Domain Admins group again correct? (Someone before I got here moved the DomAdm group to the Organization OU)
In other words, should I make an OU outside of Organization named 'Delegates' and create the SupportAdmins group in there.
.
- Prev by Date: Re: Folder creator owner
- Next by Date: Re: Password question
- Previous by thread: Sober resurface
- Next by thread: Re: Delegate Authority
- Index(es):
Relevant Pages
|
|
