Rights -Account Operators

[Guest]

Umm !!

I have IT Users part of the group Account Operators and Server Operators to
allow them do basic functions on the domain controllers like reset passwords
- add pc's - disa\enable user accounts, etc. (I would like to know if is it
the best configuration that I can use?)

*The matter is an IT user part of account operators group; he can not
change any option on other member from that group like him.

Thanks any comments !!

(I'm not understand very well delegation i'm reading about it )

 

[Jorge_de_Almeida_Pinto]

Umm !!

I have IT Users part of the group Account Operators and
Server Operators to
allow them do basic functions on the domain controllers like
reset passwords
- add pc's - disaenable user accounts, etc. (I would like to
know if is it
the best configuration that I can use?)

*The matter is an IT user part of account operators group; he
can not
change any option on other member from that group like him.

Thanks any comments !!

(I'm not understand very well delegation i'm reading about it
)

In my opinion and it is also a best practise not to use the default
admin groups in AD. The best way is to delegate tasks to admin users

* Create Administrative user accounts (only used for admin purposes
and not to read mail of browse the internet, use the normal account
for that!)
* Create a role group for each admin role in your IT department
* Create task group for each task or set of tasks
* use the delegation of control wizard to delegate by assigning a task
or tasks to one of the taskgroups (right click the OU and select
delegate control...)
* Make each role group a member of the task groups it should be able
to do
* make each admin user account a member of the role group

admin user account -> role group -> task groups

you may also need to use the restricted groups feature in GPOs to make
task groups a member of local admin groups on member servers