Re: permissions
In news:4dc271b9-baac-402c-bcb8-7914835408c5@m73g2000hsh.googlegroups.com,
Tester <calinguga@netscape.net> typed:
> > If not, have you already delegated the perms to the OU?
> >
> > --
> > Regards,
> > Ace
> >
>
> Hi Ace,
> How I go about delegating permissions to OU to other users, but with
> limited access? Thank you, T
Breaking up your users into multiple OUs sounds like a better plan for
starters. Put users in that you want your delegates to reset passwords or
other task while moving others out, such as the CEO, execs, etc. Besdies,
properly designing an OU design is best practice. There are a few design
models, depending on your company's organizational layout, business model
and locations (locally or global).
Time for some reading...
Step A1: Design the OU Structure:
http://technet.microsoft.com/en-us/library/cc268206.aspx
AD Organizational Unit Design Principles:
http://msforums.ph/blogs/jpaloma/archive/2006/07/21/Organizational-Unit-Design-Principles.aspx
Tom Shinder's Blog: OU Design to Support Security Group Policy:
http://blogs.windowsecurity.com/shinder/2008/03/25/ou-design-to-support-security-group-policy/
Use the Delegation Wizard in AD to delegate the ability to reset passwords,
change certain attributes, etc. Right-click the OU, select Delegate. The
Options are too much to go over here. Same with making a custom MMC for them
so they can only see that OU and nothing else. You can also simply add them
to the Account Operators group to give them a blanket of admin tasks on the
whole domain.
Best Practices for Delegating Active Directory Administration (this has
multiple pages)
http://www.microsoft.com/technet/pr...logies/directory/activedirectory/actdid1.mspx
Implementing Active Directory Delegation of Administration (good article):
http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
And some more reading:
Download details Best Practices for Delegating Active Directory
Administration:
http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en
or easier if the above URL line-wrapped:
http://tinyurl.com/vzlg
As for checking and administering backups on a DC, that is not a delegation
option, but rather they need Logon Locally on the DC (Start/Programs/Admin
Tools/Domain Controller Policy) as well as putting them in the DC's Local
Backup group, which should also work with a third party DR solution
(Veritas, etc) but you have to double check. Veritas may require the user
have local admin rights.
What is the Backup Operator?
http://www.monitorware.com/Common/en/SecurityReference/LocalGroup-BackupOperators.php
Securing Active Directory Administrative Groups and Accounts (goes over the
different types of groups available that can perform certain tasks on a
machine):
http://www.microsoft.com/technet/security/guidance/networksecurity/sec_ad_admin_groups.mspx
If you want to delegate Exchange server admin tasks, this is more
complicated and a whole other topic. One needs to understand AD permissions
at the attribute level first prior to understanding how to delegate specific
tasks in Exchange. It has a delegation wizard too, but that doesn't give
them the AD rights and permissions they need to work on user accounts and
other mail-enabling capable objects.
Ace