Guest Tester Posted April 4, 2008 Posted April 4, 2008 Hi there, What permissions should I assign to a remote user that needs to be able to: -login locally to an AD server to manage users like reseting passwords and check backups on the server. All our organization is under one OU and this server/user is on a different site. Thank you, T
Guest Ace Fekay [MVP] Posted April 16, 2008 Posted April 16, 2008 Re: permissions In news:e4786a57-8ddf-4b01-9cc6-e8ebf97e862e@e67g2000hsa.googlegroups.com, Tester <calinguga@netscape.net> typed: > Hi there, > What permissions should I assign to a remote user that needs to be > able to: > -login locally to an AD server to manage users like reseting passwords > and check backups on the server. > All our organization is under one OU and this server/user is on a > different site. > Thank you, T Logon Locally Rights to the DC. Better yet, allow them to VPN in and only remote into their own desktop and open their custom MMC that you've pre-created for him/her to administer the OU you've delegated the permissiong to him/her to perform these tasks (assuming you did it this way). If not, have you already delegated the perms to the OU? -- Regards, Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP Microsoft MVP - Directory Services Microsoft Certified Trainer For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers. Infinite Diversities in Infinite Combinations
Guest Tester Posted April 17, 2008 Posted April 17, 2008 Re: permissions > If not, have you already delegated the perms to the OU? > > -- > Regards, > Ace > Hi Ace, How I go about delegating permissions to OU to other users, but with limited access? Thank you, T
Guest Ace Fekay [MVP] Posted April 18, 2008 Posted April 18, 2008 Re: permissions In news:4dc271b9-baac-402c-bcb8-7914835408c5@m73g2000hsh.googlegroups.com, Tester <calinguga@netscape.net> typed: > > If not, have you already delegated the perms to the OU? > > > > -- > > Regards, > > Ace > > > > Hi Ace, > How I go about delegating permissions to OU to other users, but with > limited access? Thank you, T Breaking up your users into multiple OUs sounds like a better plan for starters. Put users in that you want your delegates to reset passwords or other task while moving others out, such as the CEO, execs, etc. Besdies, properly designing an OU design is best practice. There are a few design models, depending on your company's organizational layout, business model and locations (locally or global). Time for some reading... Step A1: Design the OU Structure: http://technet.microsoft.com/en-us/library/cc268206.aspx AD Organizational Unit Design Principles: http://msforums.ph/blogs/jpaloma/archive/2006/07/21/Organizational-Unit-Design-Principles.aspx Tom Shinder's Blog: OU Design to Support Security Group Policy: http://blogs.windowsecurity.com/shinder/2008/03/25/ou-design-to-support-security-group-policy/ Use the Delegation Wizard in AD to delegate the ability to reset passwords, change certain attributes, etc. Right-click the OU, select Delegate. The Options are too much to go over here. Same with making a custom MMC for them so they can only see that OU and nothing else. You can also simply add them to the Account Operators group to give them a blanket of admin tasks on the whole domain. Best Practices for Delegating Active Directory Administration (this has multiple pages) http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/actdid1.mspx Implementing Active Directory Delegation of Administration (good article): http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html And some more reading: Download details Best Practices for Delegating Active Directory Administration: http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en or easier if the above URL line-wrapped: http://tinyurl.com/vzlg As for checking and administering backups on a DC, that is not a delegation option, but rather they need Logon Locally on the DC (Start/Programs/Admin Tools/Domain Controller Policy) as well as putting them in the DC's Local Backup group, which should also work with a third party DR solution (Veritas, etc) but you have to double check. Veritas may require the user have local admin rights. What is the Backup Operator? http://www.monitorware.com/Common/en/SecurityReference/LocalGroup-BackupOperators.php Securing Active Directory Administrative Groups and Accounts (goes over the different types of groups available that can perform certain tasks on a machine): http://www.microsoft.com/technet/security/guidance/networksecurity/sec_ad_admin_groups.mspx If you want to delegate Exchange server admin tasks, this is more complicated and a whole other topic. One needs to understand AD permissions at the attribute level first prior to understanding how to delegate specific tasks in Exchange. It has a delegation wizard too, but that doesn't give them the AD rights and permissions they need to work on user accounts and other mail-enabling capable objects. Ace
Recommended Posts