|
I am one of two windows admins on a 500 user 15+ branch
network and I am trying to push some of the menial chores to the helpdesk staff
(like account creation and Citrix profile repairing) so that I can start
working on the more critical issues with our network. I have delegated the
appropriate rights to our Helpdesk Admin group to create accounts within the
appropriate OU’s and need to dig a little deeper to get the Exchange
account creation settled (I thought I got that setup with a custom AD delegation,
but I may not have enabled all the right objects) But the big stumbling block I
ran into was when I was training the HD supervisor in creating accounts, and
the nifty little script I wrote that created a home drive share folder,
terminal services profile folder, copied the profile template and cacl’d
the rights for that user failed on the cacl. Looking deeper I realized that
although I gave the HD Admin group full control of the drives where these
folders existed, the account was in our NY branch which only had 1 main server
(domain controller) and realized that the additional security measures on a
domain controller prevented him from changing the security on the folders (we
had added him to the local administrator group for other servers but unable to
add him to the local admin group for the domain controller). Now my primary question is: how can I grant this right to
modify file permissions on a domain controller without granting him Domain
Admins rights? Gideon Ashcraft Network Administrator Screen Actors Guild |
