Active Directory to Domain Admin

I'm wondering how you go about delegating Active Directory to your administrators. Surely, you do not want every Network Administrators to have access to everything in AD at their workstations. I have several people that aren't that responsible so giving them access to AD is a bit risky. I'm thinking of giving only certain priviledges like adminitrating account, shared folders, and printers.

Is there a way to control AD in workstations? Thanks, again.
Who is Participating?
andyp2912Connect With a Mentor Commented:
There's several things you can do to delegate administrative tasks:
- Delegation of Control Wizard
- Customized MMC
- TaskPadView

Delegation of Control Wizard:
First distribute your AD objects into OUs, according to who should be able to manage them.
Then run the Delegation of Control Wizard to enable one or several users to do some or all administrative tasks in this OU only.

Customized MMC:
You can customize the way a administrive tool (i.e. "Active Directory Users and Computers" looks like) and store this new look in a *.MSC file. Make sure that the admins in question only run this *.MSC file, but not the original MMC.

With TaskPadViews you can customize the MMC even further.
Here's a quick overview:
- Open the MMC in Question (i.e. "Active Directory Users and Computers")
- right-click the object you want to let the admin manage and select "New window from here"
- assign permissions as needed (e.g. "Delegation of Control Wizard")
- Select "Console\Options\Console Mode" from the menu and make the neccessary adjustments
- Set filters as needed
- Save as *.MSC file and give your admin access to it

You can find all administrative tools on the Windows 2000 server CD. Install them on a workstation to manage AD from there. Alternatively install Terminal Services on the Windows 2000 server in Administrative Mode (max. 2 connections at the same time, no license neccessary) and allow the admins to manage the server via Terminal Services.
What kind of tasks are you planning to delegate to your administrators?
Great info andyp! I point to make though. The administrtive tools that were mentioned above are installed by using adminpak.msi from the i386 directory on the Windows 2000 CDROM. This will install all of the administrative tools and the Terminal Service Client.
ch12345Author Commented:
Thanks. But Adminpak gives everything to a network administrator. I could delete some shortcuts to, for example, DHCP, WINS, DNS, and other goodies, but how safe is my server still???

MMC is probably the way to go. I'll try and modify it.
You will still need to install specific MMC snap-ins on each admin's PC. The only way to ensure that your info is safe is that you would most likely create your own custom MMCs but you still MUST do the delegation of control wizard for each object that you want another person to administer. Anyone who has power user or above local rights can install MMC snap-ins to administer objects. Unless you lock them down using delegation of control wizards, your AD objects will not be safe.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.