Re: Need limited domain admin rights user account.
From: Mike Bailey (mbailey_at_beaumontproducts.com)
Date: 08/09/05
- Previous message: Roger Abell: "Re: Need limited domain admin rights user account."
- In reply to: Roger Abell: "Re: Need limited domain admin rights user account."
- Next in thread: Roger Abell: "Re: Need limited domain admin rights user account."
- Reply: Roger Abell: "Re: Need limited domain admin rights user account."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 9 Aug 2005 13:32:53 -0400
I basically understand what you are saying, but yet I don't understand it or
rather what to do. The last paragraph is also hard to understand from the
wording. Are you saying there to create a custom group that would be added
to each workstation with local administration rights? Part of my problem is
that I understand the concept of creating a group to give special
permissions, and then adding users into that group. I just don't know what,
or how to give most of the permissions that a Domain Admin would have. I
guess what would be nice is if someone could say "to create a super user
that can't take ownership of folders, can't change security settings on
folders, can't change Administrator passwords, here is what you would do..."
Mike
"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:O5ElAsKnFHA.3988@TK2MSFTNGP10.phx.gbl...
> One does not "revoke" rights from a Domain Admin.
> One can try for some capabilities, but it will be imperfect and
> they can walk around it if they wanted.
>
> Rather, the way to go is to define what capabilities a person
> should have and then create an account with those grants of
> user rights, NTFS permissions, AD delegations, etc.
> The best way is to make the grants to a new custom group, and
> give the person(s) new accounts that are members of this group,
> in addition to their normal day-to-day use account.
>
> Maintaining a WkstnAdmin custom group as a member of the
> machine local administrators group should not be a problem.
> At least, if it is then keeping Domain Admins as members of
> the machine local Administrators group would likely also be.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Mike Bailey" <mbailey@beaumontproducts.com> wrote in message
> news:ubZR9bEnFHA.3564@tk2msftngp13.phx.gbl...
>> I'm a new manager in my comapny and am "tighten" up some of the securtiy
>> here. The domain administrator username/password is used too freely here
>> and has not changed in years. I want to change that, but at the same
> time,
>> need to give one of my staff most of the privileges she has under the
>> administrator. What I *don't* want her to be able to do is take
>> ownership
>> of folders, or change the domain administrator password. In our office,
>> most users don't have local admins right to their pc's, so we log in as
> the
>> domain admin to make certain changes. She will still need this ability.
> I
>> thought about just creating another user it and adding it as a local
> admin -
>> but that's jsut something else to maintain one each machine. I'd rather
>> create a domain user that has the above restirictions, but still has
>> other
>> admin rights.
>>
>> Any suggestions on how to create this?
>>
>> Thanks,
>> Mike
>>
>>
>
>
- Previous message: Roger Abell: "Re: Need limited domain admin rights user account."
- In reply to: Roger Abell: "Re: Need limited domain admin rights user account."
- Next in thread: Roger Abell: "Re: Need limited domain admin rights user account."
- Reply: Roger Abell: "Re: Need limited domain admin rights user account."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
