Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Active Directory 2008 Permissions

Posted on 2011-03-01
9
Medium Priority
?
954 Views
Last Modified: 2012-05-11
What is the easiest way to give an admin access to manage ou's and log into some servers centrally, without giving high level access?  
0
Comment
Question by:Jack_son_
9 Comments
 
LVL 27

Accepted Solution

by:
KenMcF earned 1600 total points
ID: 35012963
To give permissions to OUs you can right click the OU and use the deleagtion wizard to assign the needed permissions. What permissions are you look to give?

For server access, you can either add them to the local Admin group on a member server or add them to the remote desktop users group. From the sound of your post I think the remote desktop users group is what you want. They can also use active directory users and computer from their desktop if you do not want them logging into a server.
0
 
LVL 15

Assisted Solution

by:wantabe2
wantabe2 earned 400 total points
ID: 35012973
Use the delegation wizaard. This will do the trick
0
 
LVL 3

Expert Comment

by:mnation1
ID: 35012979
You could try adding them to Group Policy Creator Owners and Schema Admins.  That will give them access to alter the schema and group policy objects in AD, but it shouldn't allow them administrator access on all machines.  Then explicitly add the account to the administrators group on the servers/workstations you'd like them to manage.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 27

Expert Comment

by:KenMcF
ID: 35012995
Why the Schema Admins group? this group should be empty and only add users when and if you need to make any schema modifications.
0
 

Author Comment

by:Jack_son_
ID: 35013050
we want to limit it to management of OU's and adding email accounts.  Also, access to limited servers.
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 1600 total points
ID: 35013105
You will need to determine what permissions you want to give and then use the delegation wizard.
Look into creating a task pad view so they get a view of a single OU or whatever you want.

For the servers you can do this through a GPO
http://www.frickelsoft.net/blog/?p=13

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 1600 total points
ID: 35013176
0
 

Author Comment

by:Jack_son_
ID: 35013880
great thanks, let me try it. Will it also let you prevent them from adding users from adding users to groups with elevated privileges?
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 1600 total points
ID: 35013892
it depends on how you set the permissions on the group and users.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question