No announcement yet.

Assigning desktop support staff permissions in AD

  • Filter
  • Time
  • Show
Clear All
new posts

  • Assigning desktop support staff permissions in AD

    I need some help assigning the proper permissions to our new desktop support staff in AD (and anywhere else necessary). Here's what they will be doing:

    * all desktop PC support (so they need to be admin on all desktop PC's)
    * file share management (they will be assigning permissions to network shares, folders, files, etc)
    * email/account management (adding/modifying email addresses, creating AD accounts, modifying group permissions, etc).

    I'm aware of delegating permissions in AD for say the Users OU for AD account management, but I'm stuck on these two points:

    * I want them to have limited access to the email server and file server to manage the file shares and ADUC (and not be able to hose the rest of the server).

    * I want them to be able to have admin access to all desktop PC's, without having any privileges on our servers. Can I assign the necessary permissions in AD?

    Any assistance would be appreciated.


  • #2
    Re: Assigning desktop support staff permissions in AD

    For admin access, have a look at "restricted groups" in GPOs
    You can put all client PCs in an OU and assign a GPO to make the DSTs local admins. As long as the servers are in a different OU, they will be safe!

    For the servers, give them delegated permissions on ADUC -- as you already know -- but install the ADUC console on a client workstation so no physical access to the server needed. For shares, you could allow them to connect remotely to computer management, but I would need to check on the user rights needed. Have a look at the built in groups to see if any meet your needs.
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **