Absolutely, baby steps are in order. I suggested the AD Del WP as probably the most authoritative reference of what *could* be done so OP can get an idea of where he could end up after thoroughly planning it out. Nothing like that should ever be undertaken without proper Change Management procedures.
-----Original Message----- From: Don Guyer [mailto:[email protected]] Sent: Thursday, December 17, 2009 8:29 AM To: NT System Admin Issues Subject: RE: Granular Admin Rights Just be careful, you don't want to create a monster right before going on vacation/holiday. :) We have an unwritten policy not to do major changes (unless emergency) during these times. Don Guyer Systems Engineer - Information Services Prudential, Fox & Roach/Trident Group 431 W. Lancaster Avenue Devon, PA 19333 Direct: (610) 993-3299 Fax: (610) 650-5306 [email protected] -----Original Message----- From: Free, Bob [mailto:[email protected]] Sent: Thursday, December 17, 2009 11:25 AM To: NT System Admin Issues Subject: RE: Granular Admin Rights You can get _extremely_ granular if you wish. First you have to decide exactly *what* you want to do and then the options for the *how* can be determined. There are numerous treatises on the net but this is the seminal publication. Download details: Best Practices for Delegating Active Directory Administration http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-4 8fa-9730-dae7c0a1d6d3&displaylang=en Alternatively, put "Active Directory Delegation" into your search engine of choice and a number of resources come to the top. -----Original Message----- From: Robert Jackson [mailto:[email protected]] Sent: Wednesday, December 16, 2009 11:55 PM To: NT System Admin Issues Subject: Granular Admin Rights Importance: High I was wondering if it is possible to have granular admin rights/capabilities for an AD? If so could someone provide a template or point my in the general direction of additional material that will help me in my quest. I am responsible for our entire infrastructure and currently a member of the Domain Admins group (which is probably not the best way to go about things). However I'm going off on holiday and the bosses want to grant someone else in the company some admin rights, not as much as me, until my return. Hence I was thinking of restructuring the security aspect of our AD and have graded admin groups that users could be given membership to, thus allowing them capabilities that differ from user to user.. Regards, Rab. =========================================================== Robert Jackson Phone: +44 (0) 141 332 7999 Software Engineer Fax: +44 (0) 141 331 2820 Walker Martyn Ltd 1 Park Circus Place Email: [email protected] Glasgow G3 6AH, Scotland Web: http://www.walkermartyn.co.uk =========================================================== ************************************************************************ The information in this internet E-mail is confidential and is intended solely for the addressee. Access, copying or re-use of information in it by anyone else is unauthorised. Any views or opinions presented are solely those of the author and do not necessarily represent those of Walker Martyn Ltd or any of its affiliates. If you are not the intended recipient please contact [email protected] Walker Martyn Ltd, company number SC197533. Company is registered in Scotland and has its registered office at 1 Park Circus Place, Glasgow G3 6AH, UK. **************************************************************** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
