?
Solved

New Security Group Permission/Rights for Windows AD environment.

Posted on 2016-07-26
5
Medium Priority
?
47 Views
Last Modified: 2016-08-22
I have customer requested to have new security group (a group created by himself with new IT staff) granted with a certain rights to administer the servers and network related tasks.

he will create new group and their role as below:-

1-HelpDesk: Add/Remove User ID and join Domain, network configuration, re-set psw

2-Service Admin Operator: run, start, stop services of all domain servers, install programs, re-set psw, network
configuration, DHCP, DNS...server services

3-Group policy editting: registry editting

4-File Share Group: have right to access to all fileshare and folders

5-Service account group: to group all services accounts
Applications already have its own services account so customer will group it own themself, no change on the permissions
of these account and group


i believe i need to configure at GPO to allow those group with that rights. just wonder if there is any article that i can refer?


thanks
0
Comment
Question by:hell_angel
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 1000 total points (awarded by participants)
ID: 41730546
I would look at the built-in groups first. For example, Server Operators, Account Operators, Group Policy Creator Owners.
https://technet.microsoft.com/en-us/library/cc756898(v=ws.10).aspx

I use a new group for full control over NTFS.

I guess you can put all service accounts into a group just so you know what the service accounts are, but you can also just put all service accounts into their own OU.
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 41730670
Can you explain what you want to achieve?

How GPO comes to play?
0
 

Author Comment

by:hell_angel
ID: 41730712
Jian An Lim,

I know there a some GPO setting need to change in order to add a security group to have certain rights.

just need some idea where to add those group into the correct policy so they have the right to administer the server..
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 1000 total points (awarded by participants)
ID: 41732402
hell_angel:
Okay, i think i know what you want.

Instead of mentioning from group point of view, i will focus on features and what to do to enable end user to do so


 Add/Remove User ID and join Domain, re-set psw, Group policy editting
<-- this is AD delegation.
http://windowsitpro.com/active-directory/view-remove-ad-delegated-permissions


network configuration , run, start, stop services of all domain servers, install programs, registry editting
<--  will require local admin rights. you need to use GRoup policy preference to assign this group to all machine that relevant (i.e. if is it workstation, then apply to workstation. If it is domain server, apply to domain server.
http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/


have right to access to all fileshare and folders
<-- apply this at the root of fileshare. Of course, users can break the inheritance
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 41757592
OP left the question. This is best we have hit the note and come out with solutions
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month7 days, 23 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question