Solved

Finetune AD object permission

Posted on 2014-11-07
5
86 Views
Last Modified: 2014-11-10
Our domain Helpdesk group has right such as add users, computers and reset password to AD objects in our domain.

There are certain AD objects (domain security groups) that we would like to restrict the above right only to a few members within the Helpdesk group.

Is it possible?
0
Comment
Question by:nav2567
  • 2
  • 2
5 Comments
 
LVL 12

Accepted Solution

by:
Steven Wells earned 400 total points
Comment Utility
the best thing is to create a seperate OU for those groups and ensure you delegate permissions separately to that OU. You may have to remove delegation from top level objects to ensure Helpdesk only have rights as needed.
0
 
LVL 13

Assisted Solution

by:Rizzle
Rizzle earned 100 total points
Comment Utility
Agree with Steve. You would have to create another OU and apply different permissions to ensure no modification of any  accounts can take place. We have this inplace where service and domain admin accounts sit in one OU which only our team have access to which excludes the helpdesk.
0
 

Author Comment

by:nav2567
Comment Utility
Thanks both.

When I remove delegation, do I just go to the OU's properties>security and remove the Helpdesk group in the "Advance" list, and that's?

Thanks.
0
 
LVL 13

Expert Comment

by:Rizzle
Comment Utility
Correct.
0
 

Author Closing Comment

by:nav2567
Comment Utility
Thanks, both.
0

Featured Post

Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now