AD Permissions

[hutch]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

We are win2000 AD.

I have given our desktop support guys permissions to change passwords and to
add computers to our domain. This is so when they build a new pc, they can
join it to our domain.
However, what I have noticed is that they can now create users, modify
users, etc.... They are unable to modify any admin accounts, but still....I
don't think this is right.
Any ideas what I might have done wrong when setting up their permissions?

Thanks,
Hutch

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Hutch" <Hutch@discussions.microsoft.com> wrote in message
news6D4AFB3-7C4B-49AB-B3EB-A1F9EEAE4183@microsoft.com...
> We are win2000 AD.
>
> I have given our desktop support guys permissions to change passwords and
to
> add computers to our domain. This is so when they build a new pc, they can
> join it to our domain.
> However, what I have noticed is that they can now create users, modify
> users, etc.... They are unable to modify any admin accounts, but
still....I
> don't think this is right.
> Any ideas what I might have done wrong when setting up their permissions?

It would help if you told us precisely what permission you added and
how you added them (Delegation Wizard, Direct Permissions on Property
sheet, ???).

You might consider revoking all of this, and permitting them to add
computers
only in certain OUs.

Audit Account management, make the business rules explicit and in writing,
and make it clear that termination is the remedy for violating the trust
place
in them to do certain things and that this does not imply permission to do
others even if they figure out how to do so.

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

>
> Thanks,
> Hutch

 

[hutch]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I gave the two noted permissions through the Delegation Wizard.

The "add computers" I did that only on the computers OU in AD, but the
password permissions I did at the top of the tree.

I like the idea of auditing...I think I'll turn that on.

I'll also try the removing all the permission and reappling.

Thanks for the tips \ advice.
Hutch

"Herb Martin" wrote:

> "Hutch" <Hutch@discussions.microsoft.com> wrote in message
> news6D4AFB3-7C4B-49AB-B3EB-A1F9EEAE4183@microsoft.com...
> > We are win2000 AD.
> >
> > I have given our desktop support guys permissions to change passwords and
> to
> > add computers to our domain. This is so when they build a new pc, they can
> > join it to our domain.
> > However, what I have noticed is that they can now create users, modify
> > users, etc.... They are unable to modify any admin accounts, but
> still....I
> > don't think this is right.
> > Any ideas what I might have done wrong when setting up their permissions?
>
> It would help if you told us precisely what permission you added and
> how you added them (Delegation Wizard, Direct Permissions on Property
> sheet, ???).
>
> You might consider revoking all of this, and permitting them to add
> computers
> only in certain OUs.
>
> Audit Account management, make the business rules explicit and in writing,
> and make it clear that termination is the remedy for violating the trust
> place
> in them to do certain things and that this does not imply permission to do
> others even if they figure out how to do so.
>
> --
> Herb Martin, MCSE, MVP
> Accelerated MCSE
> http://www.LearnQuick.Com
> [phone number on web site]
>
> >
> > Thanks,
> > Hutch
>
>
>