Solved

Active Directory to Domain Admin

Posted on 2002-04-01
5
144 Views
Last Modified: 2012-05-04
I'm wondering how you go about delegating Active Directory to your administrators. Surely, you do not want every Network Administrators to have access to everything in AD at their workstations. I have several people that aren't that responsible so giving them access to AD is a bit risky. I'm thinking of giving only certain priviledges like adminitrating account, shared folders, and printers.

Is there a way to control AD in workstations? Thanks, again.
0
Comment
Question by:ch12345
  • 3
5 Comments
 
LVL 7

Expert Comment

by:jmiller47
ID: 6912036
What kind of tasks are you planning to delegate to your administrators?
0
 

Accepted Solution

by:
andyp2912 earned 50 total points
ID: 6912720
There's several things you can do to delegate administrative tasks:
- Delegation of Control Wizard
- Customized MMC
- TaskPadView

Delegation of Control Wizard:
=============================
First distribute your AD objects into OUs, according to who should be able to manage them.
Then run the Delegation of Control Wizard to enable one or several users to do some or all administrative tasks in this OU only.

Customized MMC:
===============
You can customize the way a administrive tool (i.e. "Active Directory Users and Computers" looks like) and store this new look in a *.MSC file. Make sure that the admins in question only run this *.MSC file, but not the original MMC.

TaskPadView:
============
With TaskPadViews you can customize the MMC even further.
Here's a quick overview:
- Open the MMC in Question (i.e. "Active Directory Users and Computers")
- right-click the object you want to let the admin manage and select "New window from here"
- assign permissions as needed (e.g. "Delegation of Control Wizard")
- Select "Console\Options\Console Mode" from the menu and make the neccessary adjustments
- Set filters as needed
- Save as *.MSC file and give your admin access to it


You can find all administrative tools on the Windows 2000 server CD. Install them on a workstation to manage AD from there. Alternatively install Terminal Services on the Windows 2000 server in Administrative Mode (max. 2 connections at the same time, no license neccessary) and allow the admins to manage the server via Terminal Services.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 6913652
Great info andyp! I point to make though. The administrtive tools that were mentioned above are installed by using adminpak.msi from the i386 directory on the Windows 2000 CDROM. This will install all of the administrative tools and the Terminal Service Client.
0
 

Author Comment

by:ch12345
ID: 6914346
Thanks. But Adminpak gives everything to a network administrator. I could delete some shortcuts to, for example, DHCP, WINS, DNS, and other goodies, but how safe is my server still???

MMC is probably the way to go. I'll try and modify it.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 6914712
You will still need to install specific MMC snap-ins on each admin's PC. The only way to ensure that your info is safe is that you would most likely create your own custom MMCs but you still MUST do the delegation of control wizard for each object that you want another person to administer. Anyone who has power user or above local rights can install MMC snap-ins to administer objects. Unless you lock them down using delegation of control wizards, your AD objects will not be safe.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now