Link to home
Create AccountLog in
Avatar of ccdc12
ccdc12

asked on

Domain Administrator Account

I have question about domain adminitrator account.
I am the only one that has domain administrator rights. I need help on signing the right permissions to a use that can log on to any server in the domain but can not disable my login or the administrator account.
Also I was told to rename the domain administrator account and create another user account named administrator. They also need to be able to remote desktop into the servers.
How can I give this other use just enough of rights but they can not mess with my account?
my account example: john.doe
there account example jane.pain
rename administrator example:
Avatar of Toni Uranjek
Toni Uranjek
Flag of Slovenia image

Hi!

What is jane.pain supposed to do when they log on to servers? By servers do you mean also domain controllers or just member servers?

Toni
add the user you want to have server access to teh server operator local group on teh servers, youc an do this through restricted groups he camk then perform server operations task on those server

as for the second, there is a group called remote desktop users, add the user you want to be able to remote to teh desktop and they can get onto teh rdp session then, please note this group only exists in win 2003
I am the only one that has domain administrator rights. I need help on signing the right permissions to a use that can log on to any server in the domain but can not disable my login or the administrator account.

If you have run into your domain admin account being disabled, it was probably due to being logged on somewhere within the domain while you made a password change. If logged on, you will immediately be locked out. You could go into the domain admin account and select "password never expires" to prevent this from happening. Then, when you wish to change the domain logon, you need to make sure no services are running as administrator and you are not logged into any other machine, locally or remotely. Another thing you can do is create a second Domain admin account in the event the 1st one gets locked out.

To grant users permissions to log on using remote desktop, Slam has the answer for this. You can also specify what machines they can log into by right clicking my computer>> going to properties>>selecting the remote tab>>select the checkbox that allows users to log onto this computer remotely>>(Then define users that are allowed to log onto that computer using the select remote users button

Another thing you can do is create a group and allow the whole group to access the computer remotely.

To define permissions, you might want to use a little tool that defines what they are capable of doing when logged on.  For this, see the Delegation of Control Wizard.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/ctrlwiz.mspx

Avatar of ccdc12
ccdc12

ASKER

Toniur,
the user jane.pain will need to logon to both types of server. DC and Member server.
the use will connect to the DC and Mem Srv. by remote desktop and standing in front of the server logon locally.
the user jane.pain will want to be able to add users and computer tot he domain.
does not need to add servers.
I have folders setup for each dept with the users and computer domain account in them.
then as suggested user jane pain needs ot be added to the server operator role and the remote desktop users role
Avatar of ccdc12

ASKER

to help clairafiy is to give the user jane.pain enough of administrator rights but not enough for that user to change/remove / edit my account or the domain administrator account /adminsitrator account
I think im being ignored lol
Avatar of ccdc12

ASKER

Slam69,
where do you add "server operator role and the remote desktop users role" ?
if you want it to be on a couple of machines only then log onto teh machines and add the user into the local built in group, if your not sure on how to do this then go to control panel, click administrative tasks?? hit computer managament and hit local users and roups, right click teh group and add

if you want the user to be part of this role then use the restricted groups option in ad and they will be added to that group on all your win2003 machines, just scroll down to using restricted groups

http://www.windowsecurity.com/articles/Increasing-Security-Limited-User-Accounts-Restricted-Groups.html
Avatar of ccdc12

ASKER

can anyone help me with this part?
to help clairafiy is to give the user jane.pain enough of administrator rights but not enough for that user to change/remove / edit my account or the domain administrator account /adminsitrator account.
The user that has the jane.pain account will also login with the administrator account.

I have renamed the administrator account to: PSCUSER
then I created a new account call administrator.
Now that I have the new administrator account I need both accounts to have the same permission jane.pain and adminsitrator

thanks for the help
To define permissions, you might want to use a little tool that defines what they are capable of doing when logged on.  For this, see the Delegation of Control Wizard.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/ctrlwiz.mspx
Avatar of ccdc12

ASKER

Ok Here is what I have done so far.
under the builtin OU group: I added both accounts "jane.pain and administrator" to the member of: Remote Desktop Users and Server Operators.

Remote Desktop group is to let users remote into the server and workstations
Server Operators group is to let users logon to a DC and Member Server

I have ran the Delegate Control on each OU that I want them to have control of. selected all option for commom task to that OU.

Is this right so far ?

I want to remove the jane.pain and administrator out of the Domain Administrator Group. no longer a member to that group.

My user account and AUSER account is a member to the Domain Administrator Group.
Avatar of ccdc12

ASKER

will the jane.pain and administrator be able to install software on the server?

do I need to delegate control to other OU like "Builtin, Computers, Domain Crontroller, ForeignSecurityPrincipals, Member Servers, Users"
Avatar of ccdc12

ASKER

Remember I want to give those two account all the security rights except to be able to edit,change, remove the AUSER, and My account.
I want to remove the jane.pain and administrator out of the Domain Administrator Group.

I am a wee bit concerned about this. You created another domain administrator account for yourself, right? What I like to do is have two + domain administrator accounts in case one domain admin account gets locked out. Imagine the ramifications of having your only domain admin account locked out of the server. (OUCH)

The rest seems OK to me. Any comments on that, anyone.
Avatar of ccdc12

ASKER

ChiefIT,
I have two administrative accounts. One is AUSER and the other is my account.
both accounts are a member to the Domain Administrator Group.

the user jane.pain uses the account called "adminsitrator" to logon the servers.
I wanted to take away the right of Domain Administrator and any other right that both accounts jane.pain and administrator so that it can not edit,remove, change AUSER and My account.
You know I might make them domain administrators, and delegate control of everything within that OU except add/delete user, and change passwords. Doing so would allow them to logon as administrator and install software on the DC. Then it would explicitely deny messing with User accounts. I don't know how to narrow it down to the AUSER and your domain admin account.
Avatar of ccdc12

ASKER

ChiefIT,
please read the other post.

"give the user jane.pain enough of administrator rights but not enough for that user to change/remove / edit my account or the domain administrator account /adminsitrator account.
The user that has the jane.pain account will also login with the administrator account."

they need to be able to add users, remove users other then the AUSER and My account
Avatar of ccdc12

ASKER

Have I got it right so far?

Is there other steps I need to do?
This is what I was thinking:
With the access you wish to give Jain.plain and the administrator accounts, instead of adding OUs, you can custom make a delegation at the domain levell and enable everything with the exception of changing the domain administrator's password. This would give permissions for the entire domain, as a domain administrator would have. Using delegating at the domain level streamlines the process and eliminates a whole lot of delegation edits.

The only catch was to deny access from Jain.Pain or administrator from changing the domain administrator's accounts passwords.

If my domain wasn't in the middle of the Pacific Ocean, or I was setting in front of my domain, I could test this and not have to rely upon my memory. (which isn't so good these days)

 I am thinking that deny delegation on the domain administrators group would override the a delegate control.

I looked at the above delegation and it appears they will have access to logon remotely, and be server operators. As operators, I don't believe that will give them software install rights or registry editting rights . So, I believe the permissions will be limited.

I just got home and would like some time to research exactly what you want.
The only way you can do what you want is to delegate teh account administration to teh administrator account you give to jane.pain allow them delegation permissins on all OUs, but remove your administrator accoutn from the normal OU and place in an OU by itself, DENY jane.pain delegation rights over that OU and then they wont be able to administrate that account but can all teh other OUs make the account a server operator in restricted groups and remote desktop user and then it shoudl be fine
Avatar of ccdc12

ASKER

Slam69,
I am confuse by your last post. could you explain a little more in detail.
Thank You
Ok you can delegate accoutn administration permission on organisational units within active directory to whoever you want soooo

Pull your account that you dont want jane pain to be able to touch into a seperate Ou, call it Administrators for example and only give yourself administration rights over that OU. then the other OU containing the users, call it users Ou, give jane pain delegation rights to administer. then make jane.pain a server operator so theyc an carry out teh server tasks you mentioned earlier , and remote desktop user, so they can remote onto the machines as earlier discussed, ill post a link discussing delegation of administratyion in AD once ive found a good one
ASKER CERTIFIED SOLUTION
Avatar of slam69
slam69
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Excellent, Slam69:

As I am not setting at my domian, it is hard to do this out of memory. I used the Delegation wizard once and did a domain delegation once. So, off the top of my head is a wee bit difficult.
Avatar of ccdc12

ASKER

Thanks everyone
Blimey only a B?? what you gotta do to get an A in your class????????