Domain Admin rights need to be removed from Techs

[djbeenie]

I have a helpdesk with a number of 5. Due to auditing reasons, we need to have these techs removed from Domain Admin rights. They all know local admin passwords, so this is not a problem. Only problem is, they need to reset passwords and move computer accounts. What would be the best solutions be?

*These are a must privilege
Add/Remove Computers from the Domain
Move Computers to OU Containers
Reset passwords

*not sure if we are locking this down yet
View/Add/Delete Security groups
Create user accounts
Add/Remove Users from Distribution List

Thank you!


dj beenie

http://www.eternal-rhythms.com

 

[NetIntruder]

1. Add them to a group in AD
2. Add that group to the domain policy under the "Add workstations to the domain" section.
3. Delegate permissions on the containers/OU's that they need to move computers to/from.
4. Delegate the reset password function on the OU with your user accounts (or at the domain level if that is necessary).

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 

[porkchopexpress]

If appropriate you could also use Restricted Groups to add their user accounts to the local administrators groups on the PC's, this will also make the auditors happy as they will use their own domain account to work on local PC's thus leaving an audit trail. Also their domain account passwords should require changing more often than the local admin password so a higher level of security will be acheived.

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

 

[djbeenie]

Thanks guys for the help! I found a good write up.

http://www.microsoft.com/technet/pr...ogies/activedirectory/stepbystep/ctrlwiz.mspx

dj beenie

http://www.eternal-rhythms.com

 

[NetIntruder]

yeah, that article is good. Basically follow the above steps and you'll be ok.

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003