Using the right GPO, or Group for granting 'limited' elevated admin privs

K

Karim Ali

Technical issues:

I am currently consulting with a firm that is in need of
an emergency ID system for elevated user access within
the Production and SYST environments.

Part of my job has been to sniff out the groups and
accounts which have these elevated priviledges but who
really have no immediate need. My recommendations are
being taken very seriously and it will mean that many
will lose admin privs.

The environment has over 1000 servers and has a user
database of over 5000.
Home grown applications proliferate the network, and
developers need access "at times" to straighted out
issues within thier respective databases.

The windows 2000 NOS with AD are implemented in native
mode.

There are some ideas out there right now, however I am
seeking some unique ways within the AD structure to grant
the needed permissions to an approved user for a short
period of time with the least administrative hassel.
Mind you, this process will be implemented in the wake of
removing admin level access from a substatial number of
IT personnel.

Have you had any experiences which mirror this
initiative? Have I left out any critical details?



Karim
 
T

Tomasz Onyszko

Karim said:
There are some ideas out there right now, however I am
seeking some unique ways within the AD structure to grant
the needed permissions to an approved user for a short
period of time with the least administrative hassel.
Mind you, this process will be implemented in the wake of
removing admin level access from a substatial number of
IT personnel.
Click to expand...

I don't know if it fits into Your needs but as far as I understand your
needs I can point You to the two mechanisms in AD:
- delegation
- restricted groups

Delegation let's You delegate some administrative tasks in AD to the
choosen users or group of users
Here You will find document "Best Practices for Delegating Active
Directory Administration":
http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

To be correct - this lets You give admninistrative right to objects into AD.

Restricted groups is GPO settings which lets You specif the members of
choosen group - for example local administrators group n some workstations.

If You have some resources to which specified group has administrative
rigghts, and You want to force some users to become a member or to be
removed from the roup You can use Restricted group to achive this goal

Here You will find description of restricted groups:
http://www.jsiinc.com/SUBG/TIP3200/rh3251.htm
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q279301

If this don't meet Your requirements please give the information about
it to this group
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

user name crisis I was using the default admin account for months :( 1
Managing DHCP Servers using C# or another .net lang 0
Black ops: how HBGary wrote backdoors for the government (Part 2) 0
Brief summary: Windows Server 2003/XP Resource Kit Tools 1
FWT Newsletter - Weekly - September 13, 2004 1
FWT Newsletter - Weekly - October 4, 2004 2

Top