Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 98
  • Last Modified:

Finetune AD object permission

Our domain Helpdesk group has right such as add users, computers and reset password to AD objects in our domain.

There are certain AD objects (domain security groups) that we would like to restrict the above right only to a few members within the Helpdesk group.

Is it possible?
0
nav2567
Asked:
nav2567
  • 2
  • 2
2 Solutions
 
Steven WellsSystems AdministratorCommented:
the best thing is to create a seperate OU for those groups and ensure you delegate permissions separately to that OU. You may have to remove delegation from top level objects to ensure Helpdesk only have rights as needed.
0
 
RizzleCommented:
Agree with Steve. You would have to create another OU and apply different permissions to ensure no modification of any  accounts can take place. We have this inplace where service and domain admin accounts sit in one OU which only our team have access to which excludes the helpdesk.
0
 
nav2567Author Commented:
Thanks both.

When I remove delegation, do I just go to the OU's properties>security and remove the Helpdesk group in the "Advance" list, and that's?

Thanks.
0
 
RizzleCommented:
Correct.
0
 
nav2567Author Commented:
Thanks, both.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now