jaxjags
asked on
Proper Ways to Set Up Multiple Levels of Administrators in Active Directory Domain
Was looking for advice on best practice for having multiple levels of administrators. Example: In a small company, there are 3 IT staff. The first one should have access to everything, the second should have similar but slightly less and unable to override the first one. The third one should have just barely above a default user account.
I suppose I'm looking more for strategy on how to configure this kind of a set up as opposed to specific steps... although specific steps are welcome if they are considered best practice.
For example, I know Administrators is there by default, but what about Domain Admins? Enterprise admins? Would the second person, for example, be an admin account that is only set at one OU as opposed to the root of the entire AD tree, thus limiting their ability to do more than manage the computers / users in that OU?
I suppose I'm looking more for strategy on how to configure this kind of a set up as opposed to specific steps... although specific steps are welcome if they are considered best practice.
For example, I know Administrators is there by default, but what about Domain Admins? Enterprise admins? Would the second person, for example, be an admin account that is only set at one OU as opposed to the root of the entire AD tree, thus limiting their ability to do more than manage the computers / users in that OU?
Domain admin & above is having all permissions so something less has to be identified on what all the other person should do to create a custom delegation role as given by Aclasspc.
First - Domain & enterprise admin, administrators group. standard practice is to keep at least two administrators so that lost password or person unavailability can be balanced.
Second - Can have delegated role for remote logins and account operator level, may be even to perform specific GP edits
First - Domain & enterprise admin, administrators group. standard practice is to keep at least two administrators so that lost password or person unavailability can be balanced.
Second - Can have delegated role for remote logins and account operator level, may be even to perform specific GP edits
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
https://technet.microsoft.com/en-us/library/cc756898%28WS.10%29.aspx