Announcement

Collapse
No announcement yet.

Jr. Domain Admin

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Jr. Domain Admin

    Does anyone know proper way to create a Jr. Domain Admin ?
    I have created a Group called " Jr. Admin" , and Delegating Control with the approprate settings.
    Create, Delete, add manage user accounts; reset user passwords, modify membership, join computer to domain

    However, users in "Jr Admin" can still manage users that are Domain Admins. Thats what I want to prevent.
    I want to prevent "Jr Admins" from being able to manage certain, Groups and Users.

    My understanding is, deselect inheritable permissions on the OU's that you don't want "Jr. Admins" to manage. Is this correct, or is there a better way ?

    thank you

  • #2
    Re: Jr. Domain Admin

    restrict the ous they can manage ?
    put all the DAs in a specific ou, and prevent delegation of authority to that ou
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: Jr. Domain Admin

      Originally posted by tehcamel View Post
      restrict the ous they can manage ?
      put all the DAs in a specific ou, and prevent delegation of authority to that ou
      Definitely the best way. Just one addon: make sure to move all "high privileged" groups out of their reach as well. You can prevent them from resetting admin user password, but it counts to nothing when they can add themselves to a "domain admins" or some other custom high privileged group.

      You can also restrict group memberships. It's a good way to lock down a specific group, note that in will be refreshed along with group policy (every 90 minutes by default for member computers, 5 minutes for a DC)
      http://support.microsoft.com/kb/279301

      You can also edit the default ACL for a user or group. Do to ADUC, select "view" -> "advanced...". Afterwards you can see who gets what permissions on an object. Beware that this method has one big downside: if you create a new group, you'll have to remember to edit it's ACL if you want to prevent someone from editing it.
      http://technet.microsoft.com/en-us/l...85(WS.10).aspx

      For conclusion, go with tehcamel's advice and make sure you cover all objects in question.
      Good luck.
      Regards,
      Leonid

      MCSE 2003, MCITP EA, VCP4.

      Comment

      Working...
      X