Domain and Exchange Admins Group

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

One member of our security team has requested to be made a
member of the Domain Admins and Exchange Admins group. I
see this as being a risk with his past experiences.

How can I give him rights to create domain user and
exchange mailboxes without giving him rights to the groups
above.

I know you feel for me when I say I can live with giving
him access to create accounts but not actually being able
to restart a server or look at someone elses email.

Any assistance is appreciated....

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You may delegate control of specific task(s) to specific user. In "Active
Directory Users and Computers" just right click on the OU, where the
specific user needs appropriate rights (for example create user) and click
"Delegate Control". Wizard will help you with this.
Regards Petr

"Olsen" <anonymous@discussions.microsoft.com> wrote in message
news:24d201c4aabb$a62a8ff0$a501280a@phx.gbl...
> One member of our security team has requested to be made a
> member of the Domain Admins and Exchange Admins group. I
> see this as being a risk with his past experiences.
>
> How can I give him rights to create domain user and
> exchange mailboxes without giving him rights to the groups
> above.
>
> I know you feel for me when I say I can live with giving
> him access to create accounts but not actually being able
> to restart a server or look at someone elses email.
>
> Any assistance is appreciated....