Robert Grover
asked on
Creating a restricted domain admin account
We have a temp worker who was hired to work on our help desk (Tier 2), and I need to find the best way to manage this account until he becomes a full-time worker who has passed background checks. I am looking for suggestions or advice on how to give him just enough rights to do his job, and avoid a possible security breach if things don't work out with him. I just don't feel it's a good idea to grant him default domain admin rights until we know he works out.
Thanks in advance
Thanks in advance
Last Comment
ASKER
I want to keep him from playing around with anything beyond AD Users and Computers (DHCP, DNS, Etc.).
Please tell us what you want him to be doing, not what you want him not to be doing :-)
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I want him to be able to do common things like password changes, user management, adding PCs to the domain, etc. I knew about the delegate control, but I was wondering if I had to take him out of domain admins if I delegate?
Yes, you should remove him from Domain Admins before using Delegate Control for that user.
Sure, you will have to take him out of domain admins unless you want to start applying "deny"-entries at your AD object ACLs, which is not recommendable.
ASKER
Thanks for all of this info from everyone.
Robert just a note since your membership is relatively recent: you can split points between all helpful answers. Maybe you didn't know that, just in case :-)
ASKER
Thanks for the advice on feedback. As a side note to the responses, I gave him delegate rights but he is not able to log into the server to manage user accounts. Does delegation take away local login rights on the DC? Should I have that user install the admin tools on his system? Thanks again for everyone's help.
Yes, install RSAT on his system. He should not need to logon to the server.
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
For workstation support, please look at this concept for safe user support: https://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html - flexible, safe, easy to setup.