• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 154
  • Last Modified:

Minimizing Permission's of Users Who Do Not Need To Be Domain Admins

I need some good advise about the following situation.  I have two users in our company who are currently Domain Admins.  Neither one of these guys should have these rights, but I have not figured out a way to give them what theey need without giving them these priviledges.  Here is what they need to do:

1.  Modify workstations; load software, add and remove from AD.
2.  Access only those servers that pertain to their specific areas of the company - I want to give them access, but not the ability to manipulate the system (i.e. load software, etc).
3.  Change user properties in the AD.
1 Solution
Hi isd503,

1.  Load software/modify workstation - LOCAL admins on the workstations.  Add/Remove from AD, grant their user accounts rights using the Delegation Wizard - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx#ELD

2.  You will need to be more specific here.  you do not want them to install.remove software but they need access - what level of access?  Files?  RDP?  If files, modify share and NTFS permissions to allow.  If they need to reach the server desktop, remove them from local admin and domain admin and add them to the Remote Desktop Users group of the server.

3.  Use the rights delegation wizard - http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx#ELD


Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now