Announcement

Collapse
No announcement yet.

[HELP!] Active Directory Permissions - Accounts Operators Etc

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [HELP!] Active Directory Permissions - Accounts Operators Etc

    Hey,

    I've just been asked to look into our Active Directory permissions because quite frankly... it is a mess.

    Our 1st Line support have complete access to all of Active Directory through the use of Account Operators.

    In most cases, this would be fine... but our 1st line staff are, lets say, undesirable by management to have such power.

    We want to limit the 1st Line staff to only be able to do two things on active directory.

    1) Change Passwords
    2) Unlock Accounts

    Obviously, with Account Operators, they can do everything and anything.

    Im sure this must be possible, but have been unable to fathom where to start on such a mess.

    Any help would be greatly appreciated...

  • #2
    Re: [HELP!] Active Directory Permissions - Accounts Operators Etc

    Look into Delegation of Control in AD -- right click any OU and select "Delegate Control"
    The wizard handles standard tasks or you can create custom ones

    This allows you to restrict staff to certain OUs only
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: [HELP!] Active Directory Permissions - Accounts Operators Etc

      Originally posted by Ossian View Post
      Look into Delegation of Control in AD -- right click any OU and select "Delegate Control"
      The wizard handles standard tasks or you can create custom ones

      This allows you to restrict staff to certain OUs only
      Cheers!

      Exactly what i needed

      Comment

      Working...
      X