Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
how to let IT staff admin without danger 1
- Thread starter ilpadrino
- Start date
-
1
- #2
WhoKilledKenny
MIS
Just add them to the Account Operators group. By design they can not make changes to accounts that have the same rights or greater. Meaning, they can not add/modify/delete other users with Account Operators permission nor any account with Domain Admin rights.
WhoKilledKenny
MIS
You could also delegate permission allowing certian users the ability to manage objects in the OUs of your choice.
- Thread starter
- #4
So if add to account operators group, that doesn't let me exclude them from controlling, for ex. the accounting groups.
If I want to exclude certain objects I have to take the OU approach. Is there a specific right, Kenny, to assign on the OU, or just full control for the IT staff?
Thanks.
If I want to exclude certain objects I have to take the OU approach. Is there a specific right, Kenny, to assign on the OU, or just full control for the IT staff?
Thanks.
WhoKilledKenny
MIS
What I would do is create a Security Group in AD, something like AccountingUserAdmins. From the accounting OU - right-click and choose Delegate Control. Follow the Wizard to create the desired ACLs.
Then you could create an MMC with just that OU and place it on the desktops of users in the security group. That way they dont have a full view of ADUC. They dont need to see what they cant manage.
Then you could create an MMC with just that OU and place it on the desktops of users in the security group. That way they dont have a full view of ADUC. They dont need to see what they cant manage.
- Status
Similar threads
- Locked
- Question