mailing list archives
RE: local admin/ domain admin
From: "Scott Ramsdell" <Scott.Ramsdell () cellnet com>
Date: Tue, 6 Mar 2007 17:09:12 -0500
You will want to use "delegation", one of the options is something along
the lines of "perform common helpdesk tasks".
By default, all users can add 10 machines to the domain. You can change
that in the Default Domain Controller Policy, note that is different
than the Default Domain Policy.
In my Windows environments, I created a group "CanAddMachines" and
dropped the Helpdesk group in there (W00t! nested groups in 2003). Then
I removed "Everyone" and added "CanAddMachines" in the Default Domain
Controller Policy (right-click the DC OU).
What you can delegate is granular, so I never had a need for the built
in options. I created groups CanChangePasswords, and CanCreateUsers,
and delegated rights accordingly. This allowed me to control who on the
Helpdesk could do what. Noobs weren't given the right to change
passwords, for instance.
So, check out "delegation" in AD.
You'll also want to drop the admin accounts, service accounts, etc. into
an OU above where you delegate rights to the Helpdesk so they can't
change those passwords. I also dropped CanChangePasswords,
CanCreateUsers and CanAddMachines outside the reach of the Helpdesk.
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Sohail Sarwar
Sent: Tuesday, March 06, 2007 12:33 PM
To: WALI; security-basics () securityfocus com
Subject: local admin/ domain admin
I want to create an administrator account on the domain for my
helpdesk persons. I basically want them to only add machines to the
domain, and add user accounts for new employees with the option to
change their passwords. Basically, I want do not want to give them the
administrators password.. and control what be done potentially and
accidentally... Can some one assist and let me know how I can do that?
Or provide me the procedures. Any guidance would be great!