[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Active Directory to Domain Admin

Posted on 2002-04-01
5
Medium Priority
?
151 Views
Last Modified: 2012-05-04
I'm wondering how you go about delegating Active Directory to your administrators. Surely, you do not want every Network Administrators to have access to everything in AD at their workstations. I have several people that aren't that responsible so giving them access to AD is a bit risky. I'm thinking of giving only certain priviledges like adminitrating account, shared folders, and printers.

Is there a way to control AD in workstations? Thanks, again.
0
Comment
Question by:ch12345
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 7

Expert Comment

by:jmiller47
ID: 6912036
What kind of tasks are you planning to delegate to your administrators?
0
 

Accepted Solution

by:
andyp2912 earned 150 total points
ID: 6912720
There's several things you can do to delegate administrative tasks:
- Delegation of Control Wizard
- Customized MMC
- TaskPadView

Delegation of Control Wizard:
=============================
First distribute your AD objects into OUs, according to who should be able to manage them.
Then run the Delegation of Control Wizard to enable one or several users to do some or all administrative tasks in this OU only.

Customized MMC:
===============
You can customize the way a administrive tool (i.e. "Active Directory Users and Computers" looks like) and store this new look in a *.MSC file. Make sure that the admins in question only run this *.MSC file, but not the original MMC.

TaskPadView:
============
With TaskPadViews you can customize the MMC even further.
Here's a quick overview:
- Open the MMC in Question (i.e. "Active Directory Users and Computers")
- right-click the object you want to let the admin manage and select "New window from here"
- assign permissions as needed (e.g. "Delegation of Control Wizard")
- Select "Console\Options\Console Mode" from the menu and make the neccessary adjustments
- Set filters as needed
- Save as *.MSC file and give your admin access to it


You can find all administrative tools on the Windows 2000 server CD. Install them on a workstation to manage AD from there. Alternatively install Terminal Services on the Windows 2000 server in Administrative Mode (max. 2 connections at the same time, no license neccessary) and allow the admins to manage the server via Terminal Services.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 6913652
Great info andyp! I point to make though. The administrtive tools that were mentioned above are installed by using adminpak.msi from the i386 directory on the Windows 2000 CDROM. This will install all of the administrative tools and the Terminal Service Client.
0
 

Author Comment

by:ch12345
ID: 6914346
Thanks. But Adminpak gives everything to a network administrator. I could delete some shortcuts to, for example, DHCP, WINS, DNS, and other goodies, but how safe is my server still???

MMC is probably the way to go. I'll try and modify it.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 6914712
You will still need to install specific MMC snap-ins on each admin's PC. The only way to ensure that your info is safe is that you would most likely create your own custom MMCs but you still MUST do the delegation of control wizard for each object that you want another person to administer. Anyone who has power user or above local rights can install MMC snap-ins to administer objects. Unless you lock them down using delegation of control wizards, your AD objects will not be safe.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A walk-through example of how to obtain and apply new DID phone numbers to your cloud PBX enabled users that are configured in Office 365. Whether you have 1, 10 or 100+ users in your tenant, it's quite easy to get them phone-enabled and making/rece…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question