No announcement yet.

Piecemeal IT Permissions

  • Filter
  • Time
  • Show
Clear All
new posts

  • Piecemeal IT Permissions

    I work in the IT department of a company that started by just having a US office, and now has one in Nanjing and Brno as well. With the additional offices and the geographic difference comes more IT challenges. There are two IT team members in the US, and one in each of the other offices. Currently we in the US IT team have domain admin accounts for all IT admin duties, but the IT team members in the other office do not, partially because they do not require that level of permissions for their work but also for accountability reasons. I recognize that we probably don't need full DA accounts for a fair amount of the work here, and in some cases the other IT teams need a bit more than they have. This brings me to my question:

    What's the best method for giving out piecemeal permissions to IT people?
    Per user?
    Putting users in their own individual groups?
    Delegation Of Control Wizard?
    Something else?

    This might also belong in the GPO forum, but I put it here since I thought it applied more to AD in general.

    Thanks in advance for any help!
    Last edited by Wired; 7th January 2011, 00:08. Reason: no need for whole post to be in italics

  • #2
    Re: Piecemeal IT Permissions


    Delegate Permission to the groups and then latter you simply add/remove users to the group and users will automatically inherit necessary permission for tasks.
    Thanks & Regards

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect

    Show your appreciation for my help by giving reputation points


    • #3
      Re: Piecemeal IT Permissions

      admining is about making life easy.. therefore, you use groups - that way you can configure and apply permissions once, to a group.
      then you just add and remove at will

      better than needing to add permissions to a new it guy when he starts, especially if it's across a lot of systems
      Please do show your appreciation to those who assist you by leaving Rep Point


      • #4
        Re: Piecemeal IT Permissions

        Thanks for the input. It sounds like we just need to rethink/redesign our groups structures and permissions.


        • #5
          Re: Piecemeal IT Permissions

          Okay, so I wasn't clear enough in my understanding of what was wanted from this, so I need to clarify again.

          I know we already use groups for things like file shares, folder security permissions, RDP access, ect. However, more fine control on a specific server is desired once someone has access to it. Like denying the ability to change domain/AD/dhcp settings on a DC for example, but still being able to RDP to it and reboot. Or changing certain windows settings about the server is blocked or opening a specific program is blocked.


          • #6
            Re: Piecemeal IT Permissions

            Use some of the builtin groups (Server Managers for example) if they meet your requirements, otherwise create your own and look at user rights
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd

            ** Remember to give credit where credit is due and leave reputation points where appropriate **