Solved

Administrator Delegation Help

Posted on 2011-02-17
2
194 Views
Last Modified: 2012-05-11
Scenario:
We have 20 Sites globally, 100 Servers (ALL Win 2003) Approx. 3000 Desktop users split between global sites. To manage this we have a service desk tier 1/2/3 and on each site with have what we call low grade administrators (Hands & feet, general daily admin duties etc. etc.) my issue is sorting and an AD Account for these site administrators that allows them to conduct daily duties. In the past Domain Admin rights have been given out all over the place - this has led to serious issues. Can anyone suggest a good solid format for managing this?
0
Comment
Question by:I_T_MAN
2 Comments
 
LVL 3

Expert Comment

by:iamshergill
ID: 34914893
Make them members of below group in A.D.>

-Account Operators
-Backup Operators
-Network Configuration Operatos
-Print Operators

However above given solution is not ultimate because of lake of information. We can also create saperate OUs for each site and delegate administrator to their respective OU, that could be better solution.

If you can provide me list what tasks you want them to do?
0
 
LVL 27

Accepted Solution

by:
KenMcF earned 500 total points
ID: 34914944
I would stay away from the built in groups. These will give more rights than you probably want to give. I would only delegate the rights needed. Do the level 3 people need to logon to the DCs? if they do then you should probbaly give them domain admin, For the other groups they can manage users and computers for their own location if you have the OUs properly seperated. It all depends on what you need these groups to do.



http://www.windowsecurity.com/articles/Built-in-Groups-Delegation.html
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now