AD Permissions

G

Guest

We are win2000 AD.

I have given our desktop support guys permissions to change passwords and to
add computers to our domain. This is so when they build a new pc, they can
join it to our domain.
However, what I have noticed is that they can now create users, modify
users, etc.... They are unable to modify any admin accounts, but still....I
don't think this is right.
Any ideas what I might have done wrong when setting up their permissions?

Thanks,
Hutch
 
H

Herb Martin

Hutch said:
We are win2000 AD.

I have given our desktop support guys permissions to change passwords and to
add computers to our domain. This is so when they build a new pc, they can
join it to our domain.
However, what I have noticed is that they can now create users, modify
users, etc.... They are unable to modify any admin accounts, but still....I
don't think this is right.
Any ideas what I might have done wrong when setting up their permissions?
Click to expand...

It would help if you told us precisely what permission you added and
how you added them (Delegation Wizard, Direct Permissions on Property
sheet, ???).

You might consider revoking all of this, and permitting them to add
computers
only in certain OUs.

Audit Account management, make the business rules explicit and in writing,
and make it clear that termination is the remedy for violating the trust
place
in them to do certain things and that this does not imply permission to do
others even if they figure out how to do so.
 
G

Guest

I gave the two noted permissions through the Delegation Wizard.

The "add computers" I did that only on the computers OU in AD, but the
password permissions I did at the top of the tree.

I like the idea of auditing...I think I'll turn that on.

I'll also try the removing all the permission and reappling.

Thanks for the tips \ advice.
Hutch

Herb Martin said:
Hutch said:
We are win2000 AD.

I have given our desktop support guys permissions to change passwords and to
add computers to our domain. This is so when they build a new pc, they can
join it to our domain.
However, what I have noticed is that they can now create users, modify
users, etc.... They are unable to modify any admin accounts, but still....I
don't think this is right.
Any ideas what I might have done wrong when setting up their permissions?
Click to expand...

It would help if you told us precisely what permission you added and
how you added them (Delegation Wizard, Direct Permissions on Property
sheet, ???).

You might consider revoking all of this, and permitting them to add
computers
only in certain OUs.

Audit Account management, make the business rules explicit and in writing,
and make it clear that termination is the remedy for violating the trust
place
in them to do certain things and that this does not imply permission to do
others even if they figure out how to do so.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks,
Hutch
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Permissions not applied to every user 4
Privelages for Local Security Group Management 2
AD Permissions 2
Best Default security group in AD for Tech. Support 7
Prevent users from joining Computers to domain? 4
Setting AD Perms Through Scripts 1
Delegated change dial-in permissions 2
Display users, groups, etc Domain permissions 1

Top