Hierarchy of network admins

G

Guest

My company just merged IT departments and implemented a hierarchical scheme where I'm sharing the network admin position with 2 other people. All three of us are members of the administrators, and domain admin groups. There are two other users who are assitant network admins. We don't want these two users to have the same rights as the three of us yet we don't want to restrict them to the point that they can't function effectively. We made the 2 users members of the Server Operators and Account Operators group. Will this be enough rights? Should we give the 2 users the log on locally rights to the DC? Is there any additional rights or group memberships that should be given to them? We have only one Windows 2000 Domain with 2 Domain Controllers and 95% Win2k and Win XP W/S. Any help will be greatly appreciated. Thanks in advance, Vick279
 
P

ptwilliams

I believe Sever Operator grants the logon locally right.

It may be a good idea to create a new group, e.g. Junior Admin, and delegate
control to them. MS have released a pretty comprehensive whitepaper on the
delegation of rights, you should check it out (rumour has it there are
several errors and problems, but overall it's meant to be good).

How *many* admins for so few servers? ;-)


Paul.
_________________________
Vicky279 said:
My company just merged IT departments and implemented a hierarchical
Click to expand...
scheme where I'm sharing the network admin position with 2 other people. All
three of us are members of the administrators, and domain admin groups.
There are two other users who are assitant network admins. We don't want
these two users to have the same rights as the three of us yet we don't want
to restrict them to the point that they can't function effectively. We made
the 2 users members of the Server Operators and Account Operators group.
Will this be enough rights? Should we give the 2 users the log on locally
rights to the DC? Is there any additional rights or group memberships that
should be given to them? We have only one Windows 2000 Domain with 2 Domain
Controllers and 95% Win2k and Win XP W/S. Any help will be greatly
appreciated. Thanks in advance, Vick279
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Account Operators Group 15
How to grant a group rights to manage shares? 3
Enterprise Admins Rights 2
Local Admins via GPO? 1
Remove Domain Admins ability from "Delegation Of Control" 5
LDIFDE and LDP does not work correctly 0
Permissions not applied to every user 4

Top