There is a Built-in Group starting in XP and 2003 called Network Configuration Operators that has the rights already assigned to it to change network configurations that might point you to what rights you need on a machine.
With regards to access to ability to modify rules, you might try using a combination of GPO's with delegated rights. IPsec Policies are normally linked via GPO's if the machine is part of an AD, but you can also make standalone policies, export them and import them from files. I guess the challenge will be to locate the machines in a container so that the policies that are applied only affect the machines these users manage, and not the general population. Using GPO's doesn't require the use of a service account. http://technet2.microsoft.com/WindowsServer/en/Library/0de2a247-b456-410 5-8863-21055e06a6e91033.mspx?mfr=true Review this article and see if it answers some of your questions. Todd -----Original Message----- From: Isenhour, Joseph [mailto:[EMAIL PROTECTED] Sent: Friday, June 23, 2006 11:13 AM To: [email protected] Subject: [ActiveDir] Delegating IPSec rights I'm trying to write an IPSec editor for the operations folks and I need to make sure that they can only edit specific rules. Does anyone know how to delegate rights to modify specific IPSec Filter Rules and Filter Lists? Are they stored in AD somewhere? Or are they in the registry on the DCs? I was also thinking that I could use a service account with elevated privileges to perform the operations; however, I'm not sure if I can specify alternate creds when performing the edits. Thanks! List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
