Security Basics mailing list archives
RE: local admin/ domain admin
From: "Scott Ramsdell" <Scott.Ramsdell () cellnet com>
Date: Tue, 6 Mar 2007 17:09:12 -0500
Sohail, You will want to use "delegation", one of the options is something along the lines of "perform common helpdesk tasks". By default, all users can add 10 machines to the domain. You can change that in the Default Domain Controller Policy, note that is different than the Default Domain Policy. In my Windows environments, I created a group "CanAddMachines" and dropped the Helpdesk group in there (W00t! nested groups in 2003). Then I removed "Everyone" and added "CanAddMachines" in the Default Domain Controller Policy (right-click the DC OU). What you can delegate is granular, so I never had a need for the built in options. I created groups CanChangePasswords, and CanCreateUsers, and delegated rights accordingly. This allowed me to control who on the Helpdesk could do what. Noobs weren't given the right to change passwords, for instance. So, check out "delegation" in AD. You'll also want to drop the admin accounts, service accounts, etc. into an OU above where you delegate rights to the Helpdesk so they can't change those passwords. I also dropped CanChangePasswords, CanCreateUsers and CanAddMachines outside the reach of the Helpdesk. Kind Regards, Scott Ramsdell -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Sohail Sarwar Sent: Tuesday, March 06, 2007 12:33 PM To: WALI; security-basics () securityfocus com Subject: local admin/ domain admin Hi Guys, I want to create an administrator account on the domain for my helpdesk persons. I basically want them to only add machines to the domain, and add user accounts for new employees with the option to change their passwords. Basically, I want do not want to give them the administrators password.. and control what be done potentially and accidentally... Can some one assist and let me know how I can do that? Or provide me the procedures. Any guidance would be great! Regards, Sohail
Current thread:
- local admin/ domain admin Sohail Sarwar (Mar 06)
- RE: local admin/ domain admin Quigley, Joe (Mar 07)
- RE: local admin/ domain admin Smith, Ryan (Mar 07)
- RE: local admin/ domain admin Scott Ramsdell (Mar 07)
- Re: local admin/ domain admin shaheedpak (Mar 07)
- RE: local admin/ domain admin Herb Martin (Mar 07)