Solved

Active Directory to Domain Admin

Posted on 2002-04-01
5
146 Views
Last Modified: 2012-05-04
I'm wondering how you go about delegating Active Directory to your administrators. Surely, you do not want every Network Administrators to have access to everything in AD at their workstations. I have several people that aren't that responsible so giving them access to AD is a bit risky. I'm thinking of giving only certain priviledges like adminitrating account, shared folders, and printers.

Is there a way to control AD in workstations? Thanks, again.
0
Comment
Question by:ch12345
  • 3
5 Comments
 
LVL 7

Expert Comment

by:jmiller47
ID: 6912036
What kind of tasks are you planning to delegate to your administrators?
0
 

Accepted Solution

by:
andyp2912 earned 50 total points
ID: 6912720
There's several things you can do to delegate administrative tasks:
- Delegation of Control Wizard
- Customized MMC
- TaskPadView

Delegation of Control Wizard:
=============================
First distribute your AD objects into OUs, according to who should be able to manage them.
Then run the Delegation of Control Wizard to enable one or several users to do some or all administrative tasks in this OU only.

Customized MMC:
===============
You can customize the way a administrive tool (i.e. "Active Directory Users and Computers" looks like) and store this new look in a *.MSC file. Make sure that the admins in question only run this *.MSC file, but not the original MMC.

TaskPadView:
============
With TaskPadViews you can customize the MMC even further.
Here's a quick overview:
- Open the MMC in Question (i.e. "Active Directory Users and Computers")
- right-click the object you want to let the admin manage and select "New window from here"
- assign permissions as needed (e.g. "Delegation of Control Wizard")
- Select "Console\Options\Console Mode" from the menu and make the neccessary adjustments
- Set filters as needed
- Save as *.MSC file and give your admin access to it


You can find all administrative tools on the Windows 2000 server CD. Install them on a workstation to manage AD from there. Alternatively install Terminal Services on the Windows 2000 server in Administrative Mode (max. 2 connections at the same time, no license neccessary) and allow the admins to manage the server via Terminal Services.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 6913652
Great info andyp! I point to make though. The administrtive tools that were mentioned above are installed by using adminpak.msi from the i386 directory on the Windows 2000 CDROM. This will install all of the administrative tools and the Terminal Service Client.
0
 

Author Comment

by:ch12345
ID: 6914346
Thanks. But Adminpak gives everything to a network administrator. I could delete some shortcuts to, for example, DHCP, WINS, DNS, and other goodies, but how safe is my server still???

MMC is probably the way to go. I'll try and modify it.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 6914712
You will still need to install specific MMC snap-ins on each admin's PC. The only way to ensure that your info is safe is that you would most likely create your own custom MMCs but you still MUST do the delegation of control wizard for each object that you want another person to administer. Anyone who has power user or above local rights can install MMC snap-ins to administer objects. Unless you lock them down using delegation of control wizards, your AD objects will not be safe.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VBScript not processed at Windows 8.1 logon 2 7,973
How to Test Com Ports on NT 4.0 Workstation 2 274
no logon server available 8 157
Windows  Active Directory  Quesiton 8 128
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
SEO can be a real minefield to navigate, but there are three simple ways to up your SEO game just be re-assessing your content output.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question