• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 244
  • Last Modified:

Granting rights to another Administrator

How do I limit another administrator's account so he can only do specific task in the domain?  I am using Window 2003 standard server. Thank you.

Rich

0
r_yague
Asked:
r_yague
1 Solution
 
luv2smileCommented:
Please tell us a little more in detail what you want to do. What specific tasks to you want the user to perform?

You can't really limit another domain admin....if they are a domain admin then they have all the same and equal rights that any other domain admin has.  What you would need to do is to take away their admin rights by removing them from the domain admin group and moving them into the domain users group (I assume this is what you mean when you say admin account).  Then you would need to use delegation in order to delegate specific tasks to their domain user account.

If you tell us what tasks you want the user to do then we can help you a little bit more.  For now...Take a look at this guide:


http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en
0
 
Rich RumbleSecurity SamuraiCommented:
You can limit a User account, even a domain admin's user account- using Active Directory...
http://www.microsoft.com/nz/smallbusiness/issues/sgc/articles/sec_ad_admin_groups.mspx
-rich
0
 
CoccoBillCommented:
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
r_yagueAuthor Commented:
Thanks fo the links...Here's what I really want to do:  I am primary administrator.  The other administrator will not be able to do anything on the whole domain controller and all services like DNS, Remote Desktop, Terminal server, VPN and others...except to be able to manage only user accounts, computer accounts, printers, shared folders and other resources.  I want him to be able to give permission rights, reset passwords but not able to change anything on any administrator account.  What is the best way to do this?  Thanks in advance.
0
 
CoccoBillCommented:
Create a domain local group and use the delegation of control wizard in ADUC to grant him the rights, e.g. full access to user/computer accounts in the OU containing all users/computers etc and add the user in this group. Best practises approach would be to also create a global group which is added to the local group, and the user placed in this global group. Printer management right is achieved easiest by adding the user to the printer operators builtin group. Reset passwords can be given through the delegation of control wizard to the whole domain, but make sure to place all admin/service accounts and groups in a separate OU and remove all rights to the OU from non-admin users.
0
 
r_yagueAuthor Commented:
CoccoBill,  will your suggestion limit the user only administration rights for the specific OU and not be able to do anything on the domain controller setings?  Like My Computer, Remote Desktop, VPN, DNS, DHCP, Add/Remove programs...etc, etc.
0
 
CoccoBillCommented:
Yes, the administration model in an active directory environment is extremely flexible, if you really want you can specify what type of access a certain user/group has to a certain attribute of a certain object. The flexibility also makes the model quite complex and makes it fairly easy to shoot yourself in the leg, so be sure to test everything first before doing changes in the production environment. Targeting the delegation of control wizard to a specific OU only affects that OU and objects inside it, as an analogy think of it as a file folder where you give NTFS permissions.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now