Active Directory Permissions

W

Wirelondon

I have been asked by manager to setup access for the Helpdesk Team to
access the Active Directory.

I need some advice, as I asked what access should I give the Helpdesk
team he replied "give them same access as you" But I don't want
them having full control.

Our helpdesk team is 3 people who look after all 1st line & 2nd line
support issues.

Has anyone else been asked to grant people access, but not wanting to
give them full control?


Many thanks

Phil
 
F

Florian Frommherz

Howdy!
I need some advice, as I asked what access should I give the Helpdesk
team he replied "give them same access as you" But I don't want
them having full control.
Our helpdesk team is 3 people who look after all 1st line & 2nd line
support issues.
Has anyone else been asked to grant people access, but not wanting to
give them full control?
Click to expand...

Depending on what the helpdesk people shall be able to do, you would
maybe like to delegate them control over several OUs - for example
giving them the ability to reset users' passwords in the OU "sales" or
creating computer accounts in some other OU. See:
http://www.microsoft.com/technet/pr...ctory/activedirectory/stepbystep/ctrlwiz.mspx

Is it this you were searching for?

cheers,

Florian
 
P

Paul Bergson

Don't randomly just hand over the keys to the LAN (Making them the same as
you) because in the end you will be held responsible for problems and will
probably have to fix any errors.

Learn what they need to do, change passwords, enable accounts, create users,
etc... and provide them the least amount of privelge from the definition of
their job.

Once this has been defined Delegate Control to a security group and then
make users a member of this group, this way as people come and go all you
have to do is change membership of the group..

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.
 
J

Joe Richards [MVP]

"Give them the same access as you" is a silly directive but what it
should translate to is give them what they need to do their job. In
order to do that you need to find out what tasks they need to do and
then you can delegate based on that, it is possible you may find
something you can't delegate without giving them too much power. For
instance if you give them full control over OUs or let them create OUs
then you have given them the keys to create anything they want so then
removing the ability to create say users or something like that is
worthless as it can be overridden.

Once you have a list of tasks you need to delegate, go download the
Delegation Whitepaper from Microsoft and pick out the pieces you need.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
H

Herb Martin

Wirelondon said:
I have been asked by manager to setup access for the Helpdesk Team to
access the Active Directory.

I need some advice, as I asked what access should I give the Helpdesk
team he replied "give them same access as you" But I don't want
them having full control.

Our helpdesk team is 3 people who look after all 1st line & 2nd line
support issues.

Has anyone else been asked to grant people access, but not wanting to
give them full control?
Click to expand...

Read the other responses which are correct (Florian, Joe, Paul).

It might help you to know the following:

Active Directory and with it Win2000/2003 server contain numerous
features designed specifically to allow for the appropriate delegation
of control to those who need additional authority.

This control cannot only be delegated incrementally, it can be delegated
over subsets of the domain, usually at the OU level (but technically all
the way down to a single property on a single user.)

So, yes, many people have faced this issue and Microsoft designed
the new systems to meet these requirements.

Take a look at AD Users and Computers, right click on an OU and
notice that there is a "Delegation of Control" wizard that lets you
easily delegate the most common tasks requiring delegation.

More sophisticated delegations can be performed through the actual
PERMISSIONS on each AD object (if you understand NTFS permission
then you can loosely think of OUs like directories and users/computers
like files -- although most admins don't really understand NTFS
thoroughly) or you can delegate some things like control over services
conveniently in Group Policy.

Microsoft has already provided examples of service delegation in
Win2003 by creating groups called "DHCP Users" and "WINS
Users" that have read only access to the DHCP and WINS console
and data. ("User" is a slight misnomer because this is not about
ordinary users.)

These two groups are typically use specifically to give the Help
Desk the ability to FIND a DHCP or WINS problem when helping
a user but require them to call a "real admin" to make any changes
if and only if changes are necessary.

Joe gave you some pointers to white papers and the above may
give you the basic philosophy of Win2000+ and AD.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD Permissions 2
Active Directory in Computer Management 1
Reset Passwords w/o permissions to delete 1
Default Access Permissions to Active Directory 1
Righs to unlock accounts:Set "read/write accountlockout" time, but option is still gray out 1
Active Directory user admin 1
Adding a self-managed user through active directory 3
Can I link to Active Directory 1

Top